0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41

General

Target

0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc
Size

61KB
MD5

97f6d88dcfe5fdcbf6cde2a588ad48bc
SHA1

e17474fe19a3a6b5364d8502b9b436ac703e16c4
SHA256

0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41
SHA512

c8fdab0cec9071f184e724eb98b8e4d614d3b67a1232ec71724f461e0d8bab22d6d3393cbb12870d79dce42c3c6ad945f1f1015dc6c9e1d7c7499c514eaadbe8
SSDEEP

768:S++if7UQ9k8Wyvtr3OL8rKMpI+Ujsene8WXZkryaiYnTo9ED:2pQDWkR3OLbH7ymnC

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://91.220.131.29/upd/install.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4372	616	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

38 3288 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
38	3288	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2752 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

616 WINWORD.EXE
616 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3288 powershell.exe
3288 powershell.exe
3288 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3288 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

616 WINWORD.EXE
616 WINWORD.EXE
616 WINWORD.EXE
616 WINWORD.EXE
616 WINWORD.EXE
616 WINWORD.EXE
616 WINWORD.EXE

pid	process
2752	PING.EXE

pid	process
616	WINWORD.EXE
616	WINWORD.EXE

pid	process
3288	powershell.exe
3288	powershell.exe
3288	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3288	powershell.exe

pid	process
616	WINWORD.EXE
616	WINWORD.EXE
616	WINWORD.EXE
616	WINWORD.EXE
616	WINWORD.EXE
616	WINWORD.EXE
616	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 616 wrote to memory of 4372	616	WINWORD.EXE	cmd.exe
PID 616 wrote to memory of 4372	616	WINWORD.EXE	cmd.exe
PID 4372 wrote to memory of 2752	4372	cmd.exe	PING.EXE
PID 4372 wrote to memory of 2752	4372	cmd.exe	PING.EXE
PID 4372 wrote to memory of 444	4372	cmd.exe	chcp.com
PID 4372 wrote to memory of 444	4372	cmd.exe	chcp.com
PID 4372 wrote to memory of 1224	4372	cmd.exe	cscript.exe
PID 4372 wrote to memory of 1224	4372	cmd.exe	cscript.exe
PID 1224 wrote to memory of 3288	1224	cscript.exe	powershell.exe
PID 1224 wrote to memory of 3288	1224	cscript.exe	powershell.exe
PID 3288 wrote to memory of 4696	3288	powershell.exe	cmd.exe
PID 3288 wrote to memory of 4696	3288	powershell.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0616f04ec50d2745f50b40b3ff6c7bf99924f8dea084569afa6fb3b971114b41.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:2752

C:\Windows\system32\chcp.com
chcp 1251
3⤵
PID:444

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
a8a954ecf3820fe0edc44cb6bb56cfae

SHA1
e9913ad2ff8e8960a871eb282683fc53f88b5c73

SHA256
94143b3aa4dfe74475eeaabaa1d44a1f15dee8a224268b52f91ca5e8b91350a3

SHA512
abb76ffe17a57a2d036b2266fa36e6c663901e5835e045a0ef6a4616705be3dce4b101699ba81b8dcd37efea76a3b591013d387be99782b9b6550917653592a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
207B

MD5
bcee45f249102dd87bc0445925e1dc65

SHA1
5652e6a5aa3178329def77f50e54529997e0cfad

SHA256
84b6d24219105e86f42329300278bbefa03ff6b40116123f3d19ff3c20f6ec9a

SHA512
c6290cc42bc452ce9d4bd284909da7f735d571dedf98e55809c1d91b0272db2a09e76865f2f476a7a2a1833126920ed7f2f9fab5d400bf2d0fb0ff381b432480

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
355B

MD5
31b68eb4af8a0a939dbff53a9355e130

SHA1
a64374be6f7a90ac04c77e54162b93b95066c791

SHA256
a2daedce3a9b0abaf3b246b016e4f39a7ba00dec7dbad35134668c2fa336eae5

SHA512
83d7b3599dcf947fcda88fe21156b8bea5f2e04bf9a56058553261e9fe3fed8f886fd8df6e211a0921555a510b6e6de224aef99c57d55be0f5b54eb1a727f4b5

Download Submit
memory/444-155-0x0000000000000000-mapping.dmp

Download
memory/616-135-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmp

Filesize
64KB

Download
memory/616-137-0x00007FFFA5560000-0x00007FFFA5570000-memory.dmp

Filesize
64KB

Download
memory/616-138-0x00007FFFA5560000-0x00007FFFA5570000-memory.dmp

Filesize
64KB

Download
memory/616-141-0x00000205624E0000-0x00000205624E4000-memory.dmp

Filesize
16KB

Download
memory/616-136-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmp

Filesize
64KB

Download
memory/616-134-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmp

Filesize
64KB

Download
memory/616-132-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmp

Filesize
64KB

Download
memory/616-133-0x00007FFFA7C90000-0x00007FFFA7CA0000-memory.dmp

Filesize
64KB

Download
memory/1224-156-0x0000000000000000-mapping.dmp

Download
memory/2752-153-0x0000000000000000-mapping.dmp

Download
memory/3288-158-0x0000000000000000-mapping.dmp

Download
memory/3288-159-0x0000020E55DB0000-0x0000020E55DD2000-memory.dmp

Filesize
136KB

Download
memory/3288-160-0x00007FFFBAE40000-0x00007FFFBB901000-memory.dmp

Filesize
10.8MB

Download
memory/3288-161-0x0000020E6E050000-0x0000020E6E094000-memory.dmp

Filesize
272KB

Download
memory/3288-163-0x00007FFFBAE40000-0x00007FFFBB901000-memory.dmp

Filesize
10.8MB

Download
memory/3288-165-0x0000020E6E4A0000-0x0000020E6E516000-memory.dmp

Filesize
472KB

Download
memory/4372-144-0x0000000000000000-mapping.dmp

Download
memory/4696-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads