Overview

overview

10

Static

static

8

6ccca9c9c6...c.docm

windows7-x64

10

6ccca9c9c6...c.docm

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm

  • Size

    37KB

  • MD5

    221c885bd44e336b01308dfd8de97e32

  • SHA1

    1b9fea1b38b09e6997c0e5335361e5fc8659e91a

  • SHA256

    6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac

  • SHA512

    e24a44cd4ce2da6d2cc4c591d890c2385e92a47342c672ee51789cd72872b80749ef404962d122669e327d14659d9449b629322b9cef2b2db5359878e72c46e2

  • SSDEEP

    768:choE65XrG1gc9nUJuPY5VkJsO1m2pSWen+IJT7sxEexuHkTEB:choNogc9nUwPTJp1SWen+IJTwWeUKEB

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://91.220.131.146/upd3/install.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1716
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.2.2 -n 2
          3⤵
          • Runs ping.exe
          PID:1396
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          3⤵
            PID:1732
          • C:\Windows\SysWOW64\cscript.exe
            cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1272
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
              4⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
                5⤵
                  PID:1648

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
          Filesize

          1KB

          MD5

          3a56ec4f524e46943c8f53ec379c3f8e

          SHA1

          ee995b3af572dbd2188c40163815c84c1c9cc812

          SHA256

          4d9aa05145c48ebf4b920d0f2a4c2993fe9fc28b481ee92235e3da8d8b5ec2d6

          SHA512

          96aecb465cca746ccdff760dfb2195870344d98c4e38e81ab2bbc2ca9ca257ef225fdb5144d597bfef480fc634e2ae02dbb2262aa455b5e92298424df43f28ad

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
          Filesize

          190B

          MD5

          d3f4bd63fac15069bc058bd738809ce7

          SHA1

          09be7e5687779ea43e768d746f563d3c81bab371

          SHA256

          c730c94704d230435193522a725d69a7e4a384364fffa866034edfc8026d2f34

          SHA512

          0cd9dfc871f7c07718d861dc4826720baf2bdeb7cf9f4a5f3a4628ada54436f6ea4203cad0faf9b4da9c2a66950aebf7cae948e89188edbe34111b45cd47af93

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
          Filesize

          352B

          MD5

          252a4ce382f32a041aef2b4aca69e904

          SHA1

          a7ba63b12b617e8bead937492186303a23162ee1

          SHA256

          bb33709ea82c00bbebe68a397ae844789ac1ee24f7023a5d9e87673b11cb9e42

          SHA512

          62ea3d610a9cd6fe0acedecfc5f6d9ac7c5ad1792af020555de2dd2ffa6c9e61977dbdd7f8629f053dcf619d21792cb7c262493e6ac00610929bcd97a8ee098c

          Download Submit
        • memory/112-61-0x0000000000000000-mapping.dmp
          Download
        • memory/1272-65-0x0000000000000000-mapping.dmp
          Download
        • memory/1392-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1392-74-0x000000006A220000-0x000000006A7CB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1392-71-0x0000000004AB0000-0x0000000004FE6000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/1392-70-0x000000006A220000-0x000000006A7CB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1396-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1544-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1544-76-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1544-54-0x0000000072661000-0x0000000072664000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1544-57-0x0000000075681000-0x0000000075683000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1544-58-0x00000000710CD000-0x00000000710D8000-memory.dmp
          Filesize

          44KB

          Download
        • memory/1544-55-0x00000000700E1000-0x00000000700E3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1544-73-0x00000000710CD000-0x00000000710D8000-memory.dmp
          Filesize

          44KB

          Download
        • memory/1544-77-0x00000000710CD000-0x00000000710D8000-memory.dmp
          Filesize

          44KB

          Download
        • memory/1648-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1716-59-0x0000000000000000-mapping.dmp
          Download
        • memory/1716-60-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1732-64-0x0000000000000000-mapping.dmp
          Download