6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac

General

Target

6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm
Size

37KB
MD5

221c885bd44e336b01308dfd8de97e32
SHA1

1b9fea1b38b09e6997c0e5335361e5fc8659e91a
SHA256

6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac
SHA512

e24a44cd4ce2da6d2cc4c591d890c2385e92a47342c672ee51789cd72872b80749ef404962d122669e327d14659d9449b629322b9cef2b2db5359878e72c46e2
SSDEEP

768:choE65XrG1gc9nUJuPY5VkJsO1m2pSWen+IJT7sxEexuHkTEB:choNogc9nUwPTJp1SWen+IJTwWeUKEB

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.220.131.146/upd3/install.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4288	4324	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

19 1396 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
19	1396	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3288 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4324 WINWORD.EXE
4324 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1396 powershell.exe
1396 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1396 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4324 WINWORD.EXE
4324 WINWORD.EXE
4324 WINWORD.EXE
4324 WINWORD.EXE
4324 WINWORD.EXE
4324 WINWORD.EXE
4324 WINWORD.EXE

pid	process
3288	PING.EXE

pid	process
4324	WINWORD.EXE
4324	WINWORD.EXE

pid	process
1396	powershell.exe
1396	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1396	powershell.exe

pid	process
4324	WINWORD.EXE
4324	WINWORD.EXE
4324	WINWORD.EXE
4324	WINWORD.EXE
4324	WINWORD.EXE
4324	WINWORD.EXE
4324	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 4324 wrote to memory of 4288	4324	WINWORD.EXE	cmd.exe
PID 4324 wrote to memory of 4288	4324	WINWORD.EXE	cmd.exe
PID 4288 wrote to memory of 3288	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 3288	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 1872	4288	cmd.exe	chcp.com
PID 4288 wrote to memory of 1872	4288	cmd.exe	chcp.com
PID 4288 wrote to memory of 1352	4288	cmd.exe	cscript.exe
PID 4288 wrote to memory of 1352	4288	cmd.exe	cscript.exe
PID 1352 wrote to memory of 1396	1352	cscript.exe	powershell.exe
PID 1352 wrote to memory of 1396	1352	cscript.exe	powershell.exe
PID 1396 wrote to memory of 628	1396	powershell.exe	cmd.exe
PID 1396 wrote to memory of 628	1396	powershell.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:3288

C:\Windows\system32\chcp.com
chcp 1251
3⤵
PID:1872

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
3a56ec4f524e46943c8f53ec379c3f8e

SHA1
ee995b3af572dbd2188c40163815c84c1c9cc812

SHA256
4d9aa05145c48ebf4b920d0f2a4c2993fe9fc28b481ee92235e3da8d8b5ec2d6

SHA512
96aecb465cca746ccdff760dfb2195870344d98c4e38e81ab2bbc2ca9ca257ef225fdb5144d597bfef480fc634e2ae02dbb2262aa455b5e92298424df43f28ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
190B

MD5
d3f4bd63fac15069bc058bd738809ce7

SHA1
09be7e5687779ea43e768d746f563d3c81bab371

SHA256
c730c94704d230435193522a725d69a7e4a384364fffa866034edfc8026d2f34

SHA512
0cd9dfc871f7c07718d861dc4826720baf2bdeb7cf9f4a5f3a4628ada54436f6ea4203cad0faf9b4da9c2a66950aebf7cae948e89188edbe34111b45cd47af93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
352B

MD5
252a4ce382f32a041aef2b4aca69e904

SHA1
a7ba63b12b617e8bead937492186303a23162ee1

SHA256
bb33709ea82c00bbebe68a397ae844789ac1ee24f7023a5d9e87673b11cb9e42

SHA512
62ea3d610a9cd6fe0acedecfc5f6d9ac7c5ad1792af020555de2dd2ffa6c9e61977dbdd7f8629f053dcf619d21792cb7c262493e6ac00610929bcd97a8ee098c

Download Submit
memory/628-157-0x0000000000000000-mapping.dmp

Download
memory/1352-147-0x0000000000000000-mapping.dmp

Download
memory/1396-151-0x00007FF955E70000-0x00007FF956931000-memory.dmp

Filesize
10.8MB

Download
memory/1396-152-0x00000227710D0000-0x0000022771114000-memory.dmp

Filesize
272KB

Download
memory/1396-150-0x0000022770BD0000-0x0000022770BF2000-memory.dmp

Filesize
136KB

Download
memory/1396-149-0x0000000000000000-mapping.dmp

Download
memory/1396-156-0x00007FF955E70000-0x00007FF956931000-memory.dmp

Filesize
10.8MB

Download
memory/1396-158-0x00000227711A0000-0x0000022771216000-memory.dmp

Filesize
472KB

Download
memory/1872-146-0x0000000000000000-mapping.dmp

Download
memory/3288-144-0x0000000000000000-mapping.dmp

Download
memory/4288-142-0x0000000000000000-mapping.dmp

Download
memory/4324-140-0x0000022133DB0000-0x0000022133DB4000-memory.dmp

Filesize
16KB

Download
memory/4324-154-0x0000022132C28000-0x0000022132C2A000-memory.dmp

Filesize
8KB

Download
memory/4324-141-0x0000022132C28000-0x0000022132C2A000-memory.dmp

Filesize
8KB

Download
memory/4324-132-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-138-0x00007FF93F700000-0x00007FF93F710000-memory.dmp

Filesize
64KB

Download
memory/4324-137-0x00007FF93F700000-0x00007FF93F710000-memory.dmp

Filesize
64KB

Download
memory/4324-136-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-145-0x0000022132D4D000-0x0000022132D4F000-memory.dmp

Filesize
8KB

Download
memory/4324-155-0x0000022132D4D000-0x0000022132D4F000-memory.dmp

Filesize
8KB

Download
memory/4324-135-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-134-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-133-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-160-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-162-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-163-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download
memory/4324-161-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads