Overview

overview

8

Static

static

45f293b1b5...0.docm

windows10-2004-x64

8

Resubmissions

19/10/2022, 18:57

221019-xl8njsdbcr 8

19/10/2022, 18:39

221019-xa4v8acedr 8

19/10/2022, 18:00

221019-wldyhaage6 4

Analysis

  • max time kernel
    1717s
  • max time network
    1722s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm

  • Size

    143KB

  • MD5

    f769f67681707e8f69ecdf9e62fb944c

  • SHA1

    c5f6a48fa52a279e1f3424b97662b479716229af

  • SHA256

    45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50

  • SHA512

    779caa9c7efac57edc6078d212b04a930d66fa10b50967bb1b9131c9e240f40f09e6f81812583770e7ffac51d7d0e23b57e20e6a7719d73ab2f1673cb17943a9

  • SSDEEP

    3072:2e3HSOTf6Mqfb041n8Vj9SmUNRzw16vDhLfByVBZsqnCVL:2eiObpS1nY9fqzjvDZoDsqngL

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4908
  • C:\Windows\system32\wscript.EXE
    C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4152
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\Tasks\WindowsUpdate
        2⤵
        • Drops file in System32 directory
        PID:392
    • C:\Windows\system32\msconfig.exe
      "C:\Windows\system32\msconfig.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\System32\Taskmgr.exe
        "C:\Windows\System32\Taskmgr.exe" /7 /Startup
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2648
    • C:\Windows\System32\j3yvee.exe
      "C:\Windows\System32\j3yvee.exe"
      1⤵
        PID:3496
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:4268
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
          1⤵
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4912
        • C:\Windows\system32\wscript.EXE
          C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
          1⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
            2⤵
            • Blocklisted process makes network request
            PID:4804
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\Tasks\WindowsUpdate
            2⤵
              PID:2748
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4376
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
              2⤵
              • Blocklisted process makes network request
              PID:4136
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
              2⤵
              • Blocklisted process makes network request
              PID:5000
          • C:\Windows\system32\wscript.EXE
            C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3248
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
              2⤵
              • Blocklisted process makes network request
              PID:4044
          • C:\Windows\system32\wscript.EXE
            C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
              2⤵
              • Blocklisted process makes network request
              PID:880
          • C:\Windows\system32\wscript.EXE
            C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
              2⤵
              • Blocklisted process makes network request
              PID:2368

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            b9be8ab4b1a57000bfe7391b5860a762

            SHA1

            c18cc0aece48ec22a23a217f2e52791db1968f2e

            SHA256

            fcbd5f7376cafccc701c14d16e1ec90165614a97120d3484ae79a09af1c87def

            SHA512

            733d79b2ca8ceac6fd5bc11ea64ce29389359c10fdbfbd4f8b308d81acb538cbd95f1348c87f88425ecf8f8e488e8709d754561a6531bdc296b7eea65d5a0347

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            80db50de03b5060dcbf29f1c224912bb

            SHA1

            3c6986d23749b8fa000f241633424695836db311

            SHA256

            3cb8220befb6a012c4eebebe3677e9181929ca9fef38e03ecbaad17a6b830f24

            SHA512

            71d921a4eeb3e845994659551f254b375535400bedec7690b6f0a3d1974c81e595d8260034c33d20588ee161ce17c3f70def5c3239af0089d3008defea8c5dd2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            08a17ad9db6ab63ce146b12b4860d64a

            SHA1

            f77a117b525f7835ce88aa824af9476ab55c83cb

            SHA256

            c55e890243abdf1cc879d19f8311e5bff1630800b02334e877ea56475b54aa24

            SHA512

            acca665bc3fae7a5f6ecb5a04d873665e2a4ea7872a127b5cd654d9115fbfd0e908e40edaadadcc797f853f5cb328edcbfef2bd03c9d86eed6192ad1b58ada56

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            90e81190df5aba9dc80804f09565aed7

            SHA1

            4fc09c7c9a75741836b6d2aad14676b7e6fb47cb

            SHA256

            3cf145296c1ff0a89f8d30b2f4a4ab980e626fcfe885eda9e3aea755adda5703

            SHA512

            5ba9dc5e61456a88015da6ca4da0dc0cdd41e7e431d33a122dd0fbd5cd36f3d81d4f7f91a1ca55b83b145dc5555148b6148a8379ba29f442340a4dda55c5f4ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            90e81190df5aba9dc80804f09565aed7

            SHA1

            4fc09c7c9a75741836b6d2aad14676b7e6fb47cb

            SHA256

            3cf145296c1ff0a89f8d30b2f4a4ab980e626fcfe885eda9e3aea755adda5703

            SHA512

            5ba9dc5e61456a88015da6ca4da0dc0cdd41e7e431d33a122dd0fbd5cd36f3d81d4f7f91a1ca55b83b145dc5555148b6148a8379ba29f442340a4dda55c5f4ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            80db50de03b5060dcbf29f1c224912bb

            SHA1

            3c6986d23749b8fa000f241633424695836db311

            SHA256

            3cb8220befb6a012c4eebebe3677e9181929ca9fef38e03ecbaad17a6b830f24

            SHA512

            71d921a4eeb3e845994659551f254b375535400bedec7690b6f0a3d1974c81e595d8260034c33d20588ee161ce17c3f70def5c3239af0089d3008defea8c5dd2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            80db50de03b5060dcbf29f1c224912bb

            SHA1

            3c6986d23749b8fa000f241633424695836db311

            SHA256

            3cb8220befb6a012c4eebebe3677e9181929ca9fef38e03ecbaad17a6b830f24

            SHA512

            71d921a4eeb3e845994659551f254b375535400bedec7690b6f0a3d1974c81e595d8260034c33d20588ee161ce17c3f70def5c3239af0089d3008defea8c5dd2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
            Filesize

            15KB

            MD5

            a3c14604fb4454ba5722f07f89780e73

            SHA1

            ed7b9ddbaee794cecb80fac794b0e6cb0ae073b5

            SHA256

            bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332

            SHA512

            3c70940829620ea283e6830d1ece89efbfb83ffd0278496ba356d37bb2a30ce885a565136f7e7911cd6a6dd8f93190c42418e2fc9e1b0f4d232fffc6260db123

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs
            Filesize

            1KB

            MD5

            5b5464c5b0643161cb368f7a00900eef

            SHA1

            8bbb9ae8311ce3c87f478457ca8d3c47677d21ee

            SHA256

            92765a0cb0953d8df9484b5af79cd9b2e1e6248a7ec23ba0d977ff7082156a01

            SHA512

            78eb6b9183f447ba59bc41cddbc3d95a076684ba2beacf350dedd01e50dbb5c2c85dfa46aefe55fd7443aef11f606c30ca4a5876a97e4dad0a5925625a6c3995

            Download Submit

          • C:\Windows\System32\Tasks\WindowsUpdate
            Filesize

            4KB

            MD5

            e58c3d301d2e4dff84f168f8c38e7659

            SHA1

            3546cb506630e2254d566c0950c415f1ee25a3fb

            SHA256

            d0a63dca8add43de06387afb4930eacdf6fd8d940ec4ba55869cd57a5ae1aeea

            SHA512

            e4a559f4dbe4b3a13d2547aaaafdfbf4a16bd628d5551d5af14b8c55e70d61a7cbb1aa9f1d5953cc06256b6a427e1966ebce32a95e18c0ec213e56b6d496258d

            Download Submit

          • memory/880-189-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/880-188-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/880-187-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2184-149-0x00007FFECE870000-0x00007FFECF331000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2184-150-0x00007FFECE870000-0x00007FFECF331000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2184-151-0x00007FFECE870000-0x00007FFECF331000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2184-147-0x00000185EFC20000-0x00000185EFC42000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2368-192-0x000002ACD0750000-0x000002ACD1211000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2368-194-0x000002ACD0750000-0x000002ACD1211000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2368-193-0x000002ACD0750000-0x000002ACD1211000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4044-181-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4044-184-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4044-183-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4136-176-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4136-173-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4136-172-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4804-163-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4804-164-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4804-161-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4908-135-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-132-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-133-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-144-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-136-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-134-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-137-0x00007FFEAB800000-0x00007FFEAB810000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-138-0x00007FFEAB800000-0x00007FFEAB810000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-139-0x00000262C9DC0000-0x00000262C9DC4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/4908-141-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-142-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4908-143-0x00007FFEADD50000-0x00007FFEADD60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4912-157-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4912-154-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4912-155-0x000000001ED4A000-0x000000001ED4F000-memory.dmp

            Filesize

            20KB

            Download

          • memory/4912-156-0x0000000022280000-0x0000000022283000-memory.dmp

            Filesize

            12KB

            Download

          • memory/4912-167-0x0000000022280000-0x0000000022283000-memory.dmp

            Filesize

            12KB

            Download

          • memory/4912-158-0x000000001ED4A000-0x000000001ED4F000-memory.dmp

            Filesize

            20KB

            Download

          • memory/4912-165-0x00007FFECD9C0000-0x00007FFECE481000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4912-166-0x000000001ED4A000-0x000000001ED4F000-memory.dmp

            Filesize

            20KB

            Download

          • memory/5000-179-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5000-177-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5000-175-0x00007FFECDEF0000-0x00007FFECE9B1000-memory.dmp

            Filesize

            10.8MB

            Download