Analysis
-
max time kernel
162s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:40
Behavioral task
behavioral1
Sample
6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm
Resource
win10v2004-20220812-en
General
-
Target
6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm
-
Size
37KB
-
MD5
221c885bd44e336b01308dfd8de97e32
-
SHA1
1b9fea1b38b09e6997c0e5335361e5fc8659e91a
-
SHA256
6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac
-
SHA512
e24a44cd4ce2da6d2cc4c591d890c2385e92a47342c672ee51789cd72872b80749ef404962d122669e327d14659d9449b629322b9cef2b2db5359878e72c46e2
-
SSDEEP
768:choE65XrG1gc9nUJuPY5VkJsO1m2pSWen+IJT7sxEexuHkTEB:choNogc9nUwPTJp1SWen+IJTwWeUKEB
Malware Config
Extracted
http://91.220.131.146/upd3/install.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4288 4324 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 19 1396 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4324 WINWORD.EXE 4324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1396 powershell.exe 1396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1396 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4324 WINWORD.EXE 4324 WINWORD.EXE 4324 WINWORD.EXE 4324 WINWORD.EXE 4324 WINWORD.EXE 4324 WINWORD.EXE 4324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 4324 wrote to memory of 4288 4324 WINWORD.EXE cmd.exe PID 4324 wrote to memory of 4288 4324 WINWORD.EXE cmd.exe PID 4288 wrote to memory of 3288 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 3288 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 1872 4288 cmd.exe chcp.com PID 4288 wrote to memory of 1872 4288 cmd.exe chcp.com PID 4288 wrote to memory of 1352 4288 cmd.exe cscript.exe PID 4288 wrote to memory of 1352 4288 cmd.exe cscript.exe PID 1352 wrote to memory of 1396 1352 cscript.exe powershell.exe PID 1352 wrote to memory of 1396 1352 cscript.exe powershell.exe PID 1396 wrote to memory of 628 1396 powershell.exe cmd.exe PID 1396 wrote to memory of 628 1396 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ccca9c9c6d732d098eac9bb54a6cbf1f276a59b76c73363d5b18efab3bab7ac.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
PID:3288 -
C:\Windows\system32\chcp.comchcp 12513⤵PID:1872
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD53a56ec4f524e46943c8f53ec379c3f8e
SHA1ee995b3af572dbd2188c40163815c84c1c9cc812
SHA2564d9aa05145c48ebf4b920d0f2a4c2993fe9fc28b481ee92235e3da8d8b5ec2d6
SHA51296aecb465cca746ccdff760dfb2195870344d98c4e38e81ab2bbc2ca9ca257ef225fdb5144d597bfef480fc634e2ae02dbb2262aa455b5e92298424df43f28ad
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
190B
MD5d3f4bd63fac15069bc058bd738809ce7
SHA109be7e5687779ea43e768d746f563d3c81bab371
SHA256c730c94704d230435193522a725d69a7e4a384364fffa866034edfc8026d2f34
SHA5120cd9dfc871f7c07718d861dc4826720baf2bdeb7cf9f4a5f3a4628ada54436f6ea4203cad0faf9b4da9c2a66950aebf7cae948e89188edbe34111b45cd47af93
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
352B
MD5252a4ce382f32a041aef2b4aca69e904
SHA1a7ba63b12b617e8bead937492186303a23162ee1
SHA256bb33709ea82c00bbebe68a397ae844789ac1ee24f7023a5d9e87673b11cb9e42
SHA51262ea3d610a9cd6fe0acedecfc5f6d9ac7c5ad1792af020555de2dd2ffa6c9e61977dbdd7f8629f053dcf619d21792cb7c262493e6ac00610929bcd97a8ee098c
-
memory/628-157-0x0000000000000000-mapping.dmp
-
memory/1352-147-0x0000000000000000-mapping.dmp
-
memory/1396-151-0x00007FF955E70000-0x00007FF956931000-memory.dmpFilesize
10.8MB
-
memory/1396-152-0x00000227710D0000-0x0000022771114000-memory.dmpFilesize
272KB
-
memory/1396-150-0x0000022770BD0000-0x0000022770BF2000-memory.dmpFilesize
136KB
-
memory/1396-149-0x0000000000000000-mapping.dmp
-
memory/1396-156-0x00007FF955E70000-0x00007FF956931000-memory.dmpFilesize
10.8MB
-
memory/1396-158-0x00000227711A0000-0x0000022771216000-memory.dmpFilesize
472KB
-
memory/1872-146-0x0000000000000000-mapping.dmp
-
memory/3288-144-0x0000000000000000-mapping.dmp
-
memory/4288-142-0x0000000000000000-mapping.dmp
-
memory/4324-140-0x0000022133DB0000-0x0000022133DB4000-memory.dmpFilesize
16KB
-
memory/4324-154-0x0000022132C28000-0x0000022132C2A000-memory.dmpFilesize
8KB
-
memory/4324-141-0x0000022132C28000-0x0000022132C2A000-memory.dmpFilesize
8KB
-
memory/4324-132-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-138-0x00007FF93F700000-0x00007FF93F710000-memory.dmpFilesize
64KB
-
memory/4324-137-0x00007FF93F700000-0x00007FF93F710000-memory.dmpFilesize
64KB
-
memory/4324-136-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-145-0x0000022132D4D000-0x0000022132D4F000-memory.dmpFilesize
8KB
-
memory/4324-155-0x0000022132D4D000-0x0000022132D4F000-memory.dmpFilesize
8KB
-
memory/4324-135-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-134-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-133-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-160-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-162-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-163-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB
-
memory/4324-161-0x00007FF941D50000-0x00007FF941D60000-memory.dmpFilesize
64KB