Analysis
-
max time kernel
101s -
max time network
189s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-07-2021 12:34
Static task
static1
Behavioral task
behavioral1
Sample
adjure.07.15.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
adjure.07.15.2021.doc
Resource
win10v20210408
General
-
Target
adjure.07.15.2021.doc
-
Size
87KB
-
MD5
a4e5382ad73aa72478e5264bc44c4167
-
SHA1
9a3641ccc9bef7a17632070a21b9e2fa7af85fad
-
SHA256
562e2dab4a855410150587c82ab64eac1e2230a0405b3e032c75451c5baf6a8a
-
SHA512
914b42cd057ae27d1e65dc02f112b2ced21a5ac7ee79f0b096993b1967695e03ab492a78592a7ac5ff8ee7875661fe91f89b754f32fcc6710a94e67a4b029a5a
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1708 1092 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 7 1192 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1108 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ipinfo.io -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 1912 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE 1092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exeregsvr32.exedescription pid process target process PID 1092 wrote to memory of 1708 1092 WINWORD.EXE cmd.exe PID 1092 wrote to memory of 1708 1092 WINWORD.EXE cmd.exe PID 1092 wrote to memory of 1708 1092 WINWORD.EXE cmd.exe PID 1092 wrote to memory of 1708 1092 WINWORD.EXE cmd.exe PID 1708 wrote to memory of 1192 1708 cmd.exe mshta.exe PID 1708 wrote to memory of 1192 1708 cmd.exe mshta.exe PID 1708 wrote to memory of 1192 1708 cmd.exe mshta.exe PID 1708 wrote to memory of 1192 1708 cmd.exe mshta.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1192 wrote to memory of 1108 1192 mshta.exe regsvr32.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe PID 1092 wrote to memory of 1984 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 1984 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 1984 1092 WINWORD.EXE splwow64.exe PID 1092 wrote to memory of 1984 1092 WINWORD.EXE splwow64.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe PID 1108 wrote to memory of 1912 1108 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure.07.15.2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\linkLstLong.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\linkLstLong.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\linkLstLong.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\linkLstLong.htaMD5
f929e0be622e960a0a560b181920ae27
SHA16178f220ef46c6ea2e0d4cc72137d00a85701a9c
SHA2561d856c5f27d080a730cf88dafdf0b94860dd7cd752f87989a4e679eeca98fa43
SHA512fbb84c7817265db19d1c2533540fa6d97005206a4cc7fde0977f5f89d69fc4bea702140baa1cfab3abf8f70b3b245d3806ddd5acd908e06950b3323fa9f718a5
-
\??\c:\users\public\linkLstLong.jpgMD5
346446b4a209814f7542e706a561ad89
SHA13e77832af77b84ded9c08212fc2bd9d7022f6c9c
SHA2564f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7
SHA512b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef
-
\Users\Public\linkLstLong.jpgMD5
346446b4a209814f7542e706a561ad89
SHA13e77832af77b84ded9c08212fc2bd9d7022f6c9c
SHA2564f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7
SHA512b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef
-
memory/1092-60-0x00000000700D1000-0x00000000700D3000-memory.dmpFilesize
8KB
-
memory/1092-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1092-62-0x0000000075AF1000-0x0000000075AF3000-memory.dmpFilesize
8KB
-
memory/1092-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1092-59-0x0000000072651000-0x0000000072654000-memory.dmpFilesize
12KB
-
memory/1108-71-0x0000000000820000-0x0000000000857000-memory.dmpFilesize
220KB
-
memory/1108-67-0x0000000000000000-mapping.dmp
-
memory/1108-74-0x00000000007E0000-0x0000000000814000-memory.dmpFilesize
208KB
-
memory/1108-76-0x00000000008F0000-0x0000000000901000-memory.dmpFilesize
68KB
-
memory/1108-75-0x0000000000860000-0x00000000008A3000-memory.dmpFilesize
268KB
-
memory/1108-77-0x0000000000621000-0x0000000000623000-memory.dmpFilesize
8KB
-
memory/1192-66-0x0000000000000000-mapping.dmp
-
memory/1708-63-0x0000000000000000-mapping.dmp
-
memory/1912-80-0x0000000000000000-mapping.dmp
-
memory/1912-81-0x0000000000060000-0x0000000000088000-memory.dmpFilesize
160KB
-
memory/1912-82-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1984-78-0x0000000000000000-mapping.dmp
-
memory/1984-79-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB