Analysis
-
max time kernel
104s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 21:40
General
-
Target
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc
-
Size
61KB
-
MD5
97f6d88dcfe5fdcbf6cde2a588ad48bc
-
SHA1
e17474fe19a3a6b5364d8502b9b436ac703e16c4
-
SHA256
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41
-
SHA512
c8fdab0cec9071f184e724eb98b8e4d614d3b67a1232ec71724f461e0d8bab22d6d3393cbb12870d79dce42c3c6ad945f1f1015dc6c9e1d7c7499c514eaadbe8
-
SSDEEP
768:S++if7UQ9k8Wyvtr3OL8rKMpI+Ujsene8WXZkryaiYnTo9ED:2pQDWkR3OLbH7ymnC
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://91.220.131.29/upd/install.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5a8a954ecf3820fe0edc44cb6bb56cfae
SHA1e9913ad2ff8e8960a871eb282683fc53f88b5c73
SHA25694143b3aa4dfe74475eeaabaa1d44a1f15dee8a224268b52f91ca5e8b91350a3
SHA512abb76ffe17a57a2d036b2266fa36e6c663901e5835e045a0ef6a4616705be3dce4b101699ba81b8dcd37efea76a3b591013d387be99782b9b6550917653592a4
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
207B
MD5bcee45f249102dd87bc0445925e1dc65
SHA15652e6a5aa3178329def77f50e54529997e0cfad
SHA25684b6d24219105e86f42329300278bbefa03ff6b40116123f3d19ff3c20f6ec9a
SHA512c6290cc42bc452ce9d4bd284909da7f735d571dedf98e55809c1d91b0272db2a09e76865f2f476a7a2a1833126920ed7f2f9fab5d400bf2d0fb0ff381b432480
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
355B
MD531b68eb4af8a0a939dbff53a9355e130
SHA1a64374be6f7a90ac04c77e54162b93b95066c791
SHA256a2daedce3a9b0abaf3b246b016e4f39a7ba00dec7dbad35134668c2fa336eae5
SHA51283d7b3599dcf947fcda88fe21156b8bea5f2e04bf9a56058553261e9fe3fed8f886fd8df6e211a0921555a510b6e6de224aef99c57d55be0f5b54eb1a727f4b5
-
memory/592-131-0x0000000000000000-mapping.dmp
-
memory/1068-96-0x0000000000000000-mapping.dmp
-
memory/1540-120-0x0000000000000000-mapping.dmp
-
memory/1552-121-0x0000000000000000-mapping.dmp
-
memory/1560-129-0x0000000069DA0000-0x000000006A34B000-memory.dmpFilesize
5.7MB
-
memory/1560-126-0x0000000069DA0000-0x000000006A34B000-memory.dmpFilesize
5.7MB
-
memory/1560-124-0x0000000000000000-mapping.dmp
-
memory/1728-130-0x000007FEFB591000-0x000007FEFB593000-memory.dmpFilesize
8KB
-
memory/1728-128-0x0000000000000000-mapping.dmp
-
memory/1928-87-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-94-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-61-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-60-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-65-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-66-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-67-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-68-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-69-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-70-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-71-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-73-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-72-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-75-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-74-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-77-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-76-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-78-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-79-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-80-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-81-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-82-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-83-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-84-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-85-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-86-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-64-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-89-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-90-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-91-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-92-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-88-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-93-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-62-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-95-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-97-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-99-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-98-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-101-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-100-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-102-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-103-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-106-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-107-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-108-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-109-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-110-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-111-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-112-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-113-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-114-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-115-0x0000000070AED000-0x0000000070AF8000-memory.dmpFilesize
44KB
-
memory/1928-116-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-63-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-59-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-58-0x0000000070AED000-0x0000000070AF8000-memory.dmpFilesize
44KB
-
memory/1928-57-0x0000000074AD1000-0x0000000074AD3000-memory.dmpFilesize
8KB
-
memory/1928-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-55-0x000000006FB01000-0x000000006FB03000-memory.dmpFilesize
8KB
-
memory/1928-54-0x0000000072081000-0x0000000072084000-memory.dmpFilesize
12KB
-
memory/1928-117-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-118-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-119-0x0000000000370000-0x0000000000470000-memory.dmpFilesize
1024KB
-
memory/1928-132-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-133-0x0000000070AED000-0x0000000070AF8000-memory.dmpFilesize
44KB
-
memory/2008-105-0x0000000000000000-mapping.dmp