Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:40
Behavioral task
behavioral1
Sample
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc
Resource
win10v2004-20220901-en
General
-
Target
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc
-
Size
61KB
-
MD5
97f6d88dcfe5fdcbf6cde2a588ad48bc
-
SHA1
e17474fe19a3a6b5364d8502b9b436ac703e16c4
-
SHA256
0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41
-
SHA512
c8fdab0cec9071f184e724eb98b8e4d614d3b67a1232ec71724f461e0d8bab22d6d3393cbb12870d79dce42c3c6ad945f1f1015dc6c9e1d7c7499c514eaadbe8
-
SSDEEP
768:S++if7UQ9k8Wyvtr3OL8rKMpI+Ujsene8WXZkryaiYnTo9ED:2pQDWkR3OLbH7ymnC
Malware Config
Extracted
http://91.220.131.29/upd/install.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4372 616 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 38 3288 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 616 WINWORD.EXE 616 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3288 powershell.exe 3288 powershell.exe 3288 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3288 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 616 wrote to memory of 4372 616 WINWORD.EXE cmd.exe PID 616 wrote to memory of 4372 616 WINWORD.EXE cmd.exe PID 4372 wrote to memory of 2752 4372 cmd.exe PING.EXE PID 4372 wrote to memory of 2752 4372 cmd.exe PING.EXE PID 4372 wrote to memory of 444 4372 cmd.exe chcp.com PID 4372 wrote to memory of 444 4372 cmd.exe chcp.com PID 4372 wrote to memory of 1224 4372 cmd.exe cscript.exe PID 4372 wrote to memory of 1224 4372 cmd.exe cscript.exe PID 1224 wrote to memory of 3288 1224 cscript.exe powershell.exe PID 1224 wrote to memory of 3288 1224 cscript.exe powershell.exe PID 3288 wrote to memory of 4696 3288 powershell.exe cmd.exe PID 3288 wrote to memory of 4696 3288 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
PID:2752 -
C:\Windows\system32\chcp.comchcp 12513⤵PID:444
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵PID:4696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5a8a954ecf3820fe0edc44cb6bb56cfae
SHA1e9913ad2ff8e8960a871eb282683fc53f88b5c73
SHA25694143b3aa4dfe74475eeaabaa1d44a1f15dee8a224268b52f91ca5e8b91350a3
SHA512abb76ffe17a57a2d036b2266fa36e6c663901e5835e045a0ef6a4616705be3dce4b101699ba81b8dcd37efea76a3b591013d387be99782b9b6550917653592a4
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
207B
MD5bcee45f249102dd87bc0445925e1dc65
SHA15652e6a5aa3178329def77f50e54529997e0cfad
SHA25684b6d24219105e86f42329300278bbefa03ff6b40116123f3d19ff3c20f6ec9a
SHA512c6290cc42bc452ce9d4bd284909da7f735d571dedf98e55809c1d91b0272db2a09e76865f2f476a7a2a1833126920ed7f2f9fab5d400bf2d0fb0ff381b432480
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
355B
MD531b68eb4af8a0a939dbff53a9355e130
SHA1a64374be6f7a90ac04c77e54162b93b95066c791
SHA256a2daedce3a9b0abaf3b246b016e4f39a7ba00dec7dbad35134668c2fa336eae5
SHA51283d7b3599dcf947fcda88fe21156b8bea5f2e04bf9a56058553261e9fe3fed8f886fd8df6e211a0921555a510b6e6de224aef99c57d55be0f5b54eb1a727f4b5
-
memory/444-155-0x0000000000000000-mapping.dmp
-
memory/616-135-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmpFilesize
64KB
-
memory/616-137-0x00007FFFA5560000-0x00007FFFA5570000-memory.dmpFilesize
64KB
-
memory/616-138-0x00007FFFA5560000-0x00007FFFA5570000-memory.dmpFilesize
64KB
-
memory/616-141-0x00000205624E0000-0x00000205624E4000-memory.dmpFilesize
16KB
-
memory/616-136-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmpFilesize
64KB
-
memory/616-134-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmpFilesize
64KB
-
memory/616-132-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmpFilesize
64KB
-
memory/616-133-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmpFilesize
64KB
-
memory/1224-156-0x0000000000000000-mapping.dmp
-
memory/2752-153-0x0000000000000000-mapping.dmp
-
memory/3288-158-0x0000000000000000-mapping.dmp
-
memory/3288-159-0x0000020E55DB0000-0x0000020E55DD2000-memory.dmpFilesize
136KB
-
memory/3288-160-0x00007FFFBAE40000-0x00007FFFBB901000-memory.dmpFilesize
10.8MB
-
memory/3288-161-0x0000020E6E050000-0x0000020E6E094000-memory.dmpFilesize
272KB
-
memory/3288-163-0x00007FFFBAE40000-0x00007FFFBB901000-memory.dmpFilesize
10.8MB
-
memory/3288-165-0x0000020E6E4A0000-0x0000020E6E516000-memory.dmpFilesize
472KB
-
memory/4372-144-0x0000000000000000-mapping.dmp
-
memory/4696-164-0x0000000000000000-mapping.dmp