Automated Malware Analysis IOC Report for

Details

Filetype:	Rich Text Format data, version 1, unknown character set
Entropy:	3.122485201064406
Filename:	P0_00122.doc
Filesize:	42511
MD5:	9b56693e37a46a7083049d26043c1e49
SHA1:	ebbdaf2a87d12a423e9e89ca66f6381d6e13393e
SHA256:	4369a2729f0a74892b91cc750e3e9faab1e392aa09e60525cc45f5259c74343b
SHA512:	3d7cd4ab1ed9bcc27cf2db21b87252fbf7f5788dd45c23d63ce7980ffd7a0be6b10955c6876c6f2a1a9dafb6b18ad27fac7cde7eeccd5a1ac4a2eca6253e58fe
SSDEEP:	768:SOqaqRb/9SSn3CDZra5sxV/JTEwMy9V3MnRZyTO:1qV/9SSn3CDZra5sxV/dEwMy9V3MnRZb
Preview:	{\rtf1574@??,.8)<@.@!#3%!+__&\|-41.$0\|?.??.[@..!?14(..6`\|!#=.7.3.4+.7[+?8$_4<?+_^^~.<!//[?3)?^=7,?;4$!6#~4@]?:@+,%]'.8'!-^[?1...%^[3$`?_]^\|]?>$!#%?77?4@(1:3$4?>.7?.8^%#=?7[.+6.@2$!9?,2$]^.+%=?=]=?`2%?;/#_`/01:?@+..;<4^[@8???.160+):%%?(0?=$^&)$5>]2;%3

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sample is known by Antivirus	System Summary

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe
IE cache URL:	http://paxz.tk/plugmanzx.exe
Category:	downloaded
Dump:	plugmanzx[1].exe.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.786929247209251
Encrypted:	false
Ssdeep:	12288:+K777777777777cP+K8+Zt+9vpb0qOpPx4MQer7Z0mzQmTpvGrUK:+K777777777777c++2x7Ojdr2mzQcvGA
Size:	459264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: File Dropped By EQNEDT32EXE	Exploits
Machine Learning detection for dropped file	AV Detection
Office equation editor drops PE file	System Summary
Drops PE files	Persistence and Installation Behavior

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68E37369-07A5-4DAF-B360-5250F0AAA6E9}.tmp
Category:	dropped
Dump:	~WRF{68E37369-07A5-4DAF-B360-5250F0AAA6E9}.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	Composite Document File V2 Document, Cannot read section info
Entropy:	3.9006325569125986
Encrypted:	false
Ssdeep:	48:ra6f+dFl85gNtsPKCjJKtuDmTzm/sYGt+7YPP9Auz9w:e6fD5g7CVjQkam/Dfe9/m
Size:	5120
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection

Details

File:	C:\Users\user\AppData\Local\Temp\tmp1B2F.tmp
Category:	dropped
Dump:	tmp1B2F.tmp.4.dr
ID:	dr_10
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\plugmahm65898.exe
Type:	XML 1.0 document, ASCII text
Entropy:	5.111597063355989
Encrypted:	false
Ssdeep:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTKv
Size:	1578
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicius Add Task From User AppData Temp	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
Category:	dropped
Dump:	run.dat.9.dr
ID:	dr_20
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	data
Entropy:	3.0
Encrypted:	false
Ssdeep:	3:an:an
Size:	8
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: NanoCore	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality

Details

File:	C:\Users\user\AppData\Roaming\RlKeHhAgpZws.exe
Category:	dropped
Dump:	RlKeHhAgpZws.exe.4.dr
ID:	dr_9
Target ID:	4
Process:	C:\Users\user\AppData\Roaming\plugmahm65898.exe
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.786929247209251
Encrypted:	false
Ssdeep:	12288:+K777777777777cP+K8+Zt+9vpb0qOpPx4MQer7Z0mzQmTpvGrUK:+K777777777777c++2x7Ojdr2mzQcvGA
Size:	459264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Machine Learning detection for dropped file	AV Detection
Sigma detected: Powershell Defender Exclusion	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Sigma detected: Non Interactive PowerShell	System Summary
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Roaming\plugmahm65898.exe
Category:	dropped
Dump:	plugmahm65898.exe.2.dr
ID:	dr_8
Target ID:	2
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.786929247209251
Encrypted:	false
Ssdeep:	12288:+K777777777777cP+K8+Zt+9vpb0qOpPx4MQer7Z0mzQmTpvGrUK:+K777777777777c++2x7Ojdr2mzQcvGA
Size:	459264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Droppers Exploiting CVE-2017-11882	System Summary
Adds a directory exclusion to Windows Defender	HIPS / PFW / Operating System Protection Evasion	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for dropped file	AV Detection
Office equation editor drops PE file	System Summary
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)	Exploits	Exploitation for Client Execution
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments	System Summary
Sigma detected: Powershell Defender Exclusion	System Summary
Sigma detected: Suspicius Add Task From User AppData Temp	System Summary
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Encrypted Channel Archive Collected Data
Drops PE files	Persistence and Installation Behavior
Enables debug privileges	Anti Debugging
Found inlined nop instructions (likely shell or obfuscated code)	Software Vulnerabilities	Obfuscated Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary	System Information Discovery
Sigma detected: Non Interactive PowerShell	System Summary
Sigma detected: Possible Applocker Bypass	System Summary
Spawns processes	System Summary	Process Injection
Uses an in-process (OLE) Automation server	System Summary
Uses Microsoft Silverlight	System Summary

Details

File:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Category:	dropped
Dump:	smtpsvc.exe.9.dr
ID:	dr_15
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.136703067968073
Encrypted:	false
Ssdeep:	768:Vjs96lj/cps+zk2d0suWB6Iq8NbeYjiwMEBQwp:VAhRzdd0sHI+eYfMEBHp
Size:	45216
Whitelisted:	true
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)	System Summary
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3FB9168D-43F2-40D2-AFBC-6B32481207BC}.tmp
Category:	dropped
Dump:	~WRS{3FB9168D-43F2-40D2-AFBC-6B32481207BC}.tmp.0.dr
ID:	dr_6
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	0.05390218305374581
Encrypted:	false
Ssdeep:	3:ol3lYdn:4Wn
Size:	1024
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Downloads files	Networking	Ingress Tool Transfer

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9028E283-917F-4BAA-8392-C7BA4366CE6B}.tmp
Category:	dropped
Dump:	~WRS{9028E283-917F-4BAA-8392-C7BA4366CE6B}.tmp.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	3.5485354782796246
Encrypted:	false
Ssdeep:	384:n3NtHF+cKeYsyJDHZQs602XyCP6nRf6XSm8xQZ:3n8cKeAtS02Ena98aZ
Size:	12800
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Local\Temp\tmp39FF.tmp
Category:	dropped
Dump:	tmp39FF.tmp.9.dr
ID:	dr_18
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.1063907901076036
Encrypted:	false
Ssdeep:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
Size:	1310
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Local\Temp\tmp412F.tmp
Category:	dropped
Dump:	tmp412F.tmp.9.dr
ID:	dr_16
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	5.135668813522653
Encrypted:	false
Ssdeep:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
Size:	1320
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

Details

File:	C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\Exceptions\1.2.2.0\da0a22967d69764878492dcdfafebb2b.dat
Category:	dropped
Dump:	da0a22967d69764878492dcdfafebb2b.dat.9.dr
ID:	dr_14
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	data
Entropy:	7.74262010466454
Encrypted:	false
Ssdeep:	24:soqelz7a03pJSLbIM8dqxoSIEcCqewO/d7zAeixv:Nqel60j6IMboSDcBe9xMpv
Size:	784
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
Category:	dropped
Dump:	catalog.dat.9.dr
ID:	dr_19
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	data
Entropy:	7.024371743172393
Encrypted:	false
Ssdeep:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
Size:	232
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat
Category:	dropped
Dump:	storage.dat.9.dr
ID:	dr_13
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	data
Entropy:	7.99938831605763
Encrypted:	true
Ssdeep:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
Size:	327432
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
Category:	dropped
Dump:	task.dat.9.dr
ID:	dr_17
Target ID:	9
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Type:	ASCII text, with no line terminators
Entropy:	4.830795005765378
Encrypted:	false
Ssdeep:	3:oMty8WddSWA1KMNn:oMLW6WA1j
Size:	57
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\P0_00122.LNK
Category:	dropped
Dump:	P0_00122.LNK.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Jan 14 01:22:15 2022, length=42511, window=hide
Entropy:	4.515084187513427
Encrypted:	false
Ssdeep:	12:8jFKRgXg/XAlCPCHaXjByB/OW9qX+WAbZyOXicvb1P1dXDtZ3YilMMEpxRljKGwN:8I/XTTcLIbePNDv3qHwqQd7Qy
Size:	1004
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Category:	dropped
Dump:	index.dat.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	ASCII text, with CRLF line terminators
Entropy:	4.479851414713963
Encrypted:	false
Ssdeep:	3:bDuMJlthXXd2mX1f6V+XXd2v:bCmBXPXC
Size:	67
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Category:	dropped
Dump:	~$Normal.dotm.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.5038355507075254
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
Size:	162
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8BC7PPIC80D40DHBNKNO.temp
Category:	dropped
Dump:	8BC7PPIC80D40DHBNKNO.temp.5.dr
ID:	dr_11
Target ID:	5
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.586557779294657
Encrypted:	false
Ssdeep:	96:chQCQMqmqvsqvJCwoxTz8hQCQMqmqvsEHyqvJCwornTzaTKrRH2TpxpyMilUVjTh:cWPolz8WzHnorTzauof8MRA2
Size:	8016
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
Category:	dropped
Dump:	8BC7PPIC80D40DHBNKNO.temp.5.dr
ID:	dr_12
Target ID:	5
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.586557779294657
Encrypted:	false
Ssdeep:	96:chQCQMqmqvsqvJCwoxTz8hQCQMqmqvsEHyqvJCwornTzaTKrRH2TpxpyMilUVjTh:cWPolz8WzHnorTzauof8MRA2
Size:	8016
Whitelisted:	false
Reputation:	timeout

Details

File:	C:\Users\user\Desktop\~$_00122.doc
Category:	dropped
Dump:	~$_00122.doc.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Type:	data
Entropy:	2.5038355507075254
Encrypted:	false
Ssdeep:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
Size:	162
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report

Files

Processes

URLs

Domains