Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 10:29
Static task
static1
Behavioral task
behavioral1
Sample
4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm
-
Size
387KB
-
MD5
565717192a35dacce33823a8a7f5f897
-
SHA1
542a54656018b6417320a84deb8e92ffec8d58c6
-
SHA256
4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214
-
SHA512
e16272d638f4cf43aad99072311adacc812c794c82f7b2adaa8a511959eb51d9b9ce534d0927c90d88e17b599732ac8c217e09673889d14eb34b888494d07177
Score
10/10
Malware Config
Signatures
-
Ostap JavaScript Downloader 1 IoCs
Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot
resource yara_rule behavioral2/files/0x000600000002213a-174.dat family_ostap -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1960 2664 cmd.exe 51 -
ostap
Ostap is a JS downloader, used to deliver other families.
-
Sets service image path in registry 2 TTPs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e80922b16d365937a46956b92703aca08af260001002600efbe110000009886b0eac007d801d992a1e7c607d8012a3eca245f17d80114000000 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE 2664 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1960 2664 WINWORD.EXE 61 PID 2664 wrote to memory of 1960 2664 WINWORD.EXE 61 PID 1960 wrote to memory of 3720 1960 cmd.exe 63 PID 1960 wrote to memory of 3720 1960 cmd.exe 63
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\MyImages\presskey.cmd2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\cscript.execscript //nologo C:\MyImages\presskey.jse3⤵PID:3720
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵PID:3616
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 2e602fac97e55028ac597d1829cc7812 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:3788