Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 11:54
Behavioral task
behavioral1
Sample
45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc
Resource
win10v2004-20220812-en
General
-
Target
45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc
-
Size
191KB
-
MD5
cf75c33403bad87a59b0161576779ba2
-
SHA1
e4131593e9be8b994b49241cd2700479ddbfdab1
-
SHA256
45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f
-
SHA512
79f9a2753e3076cd5febbdfb438c6f98c718c10190a7663c4140d9ddc635db10c4ea0981867b67f0188064a3d18b4bfcb46c1b6ac859eebc501ec1cdfe53a3a8
-
SSDEEP
3072:yI6bftBVxtWBhOSBw3GMPfY98JfZmKP7uasFMakqYTfcIh+2oALNZCiZm8:yI6bftnxtZSBC498JzP7XsqakRTfc6+e
Malware Config
Extracted
http://www.2fs.com.au/tmp/rkn.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4788 3224 cmd.exe WINWORD.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3224 WINWORD.EXE 3224 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4228 powershell.exe 4228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4228 powershell.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 3224 wrote to memory of 4788 3224 WINWORD.EXE cmd.exe PID 3224 wrote to memory of 4788 3224 WINWORD.EXE cmd.exe PID 4788 wrote to memory of 4332 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 4332 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 228 4788 cmd.exe chcp.com PID 4788 wrote to memory of 228 4788 cmd.exe chcp.com PID 4788 wrote to memory of 948 4788 cmd.exe cscript.exe PID 4788 wrote to memory of 948 4788 cmd.exe cscript.exe PID 948 wrote to memory of 4228 948 cscript.exe powershell.exe PID 948 wrote to memory of 4228 948 cscript.exe powershell.exe PID 4228 wrote to memory of 448 4228 powershell.exe cmd.exe PID 4228 wrote to memory of 448 4228 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 12513⤵
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5c3fdf3ccaeaa6bb33165dfe18dae43e6
SHA1deaf2ed146ab346cd406eccc928a14552dd15e19
SHA2568606130c7a68799d185a40da2c404b2fb6dbeba6ebc7bca7751e259cec83e148
SHA512102913925ca5d8d746b1f8f7cbd0a65294a2a023b7d6609aee3a962e74ae21fb1b373b70655851a27d4f2921b9559dce43f50d4a117f517f167c2ea09d4a5e9d
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
116B
MD54922a773060a96738c0309ff2266e9b0
SHA14b2effb130c3c0af0c0d17566ea40ddcba59a50e
SHA2569d005399621525cef2397ca6ebaae4dd373781bec66d362712df8431cbdd1a03
SHA512ce612df4b8516dbfd0f332b3419cc858d2ebc2211d56f75c917d4af551fa20b3936558b4e0036e57844c8865f8ed9b75c7fdf2d49c0cd2e9acf655516d9ddd04
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
398B
MD5f274f67c467b49b9d278ca3b4196b5d0
SHA18b80213e280bf2b40057a3b5269a540c387fd036
SHA25679253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1
SHA51212daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b
-
memory/228-143-0x0000000000000000-mapping.dmp
-
memory/448-153-0x0000000000000000-mapping.dmp
-
memory/948-144-0x0000000000000000-mapping.dmp
-
memory/3224-138-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmpFilesize
64KB
-
memory/3224-134-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-132-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-159-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-142-0x000001C225CA0000-0x000001C225CA2000-memory.dmpFilesize
8KB
-
memory/3224-137-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmpFilesize
64KB
-
memory/3224-136-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-135-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-158-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-157-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-156-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-133-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/3224-151-0x000001C225CA0000-0x000001C225CA2000-memory.dmpFilesize
8KB
-
memory/4228-150-0x00007FFF2BE70000-0x00007FFF2C931000-memory.dmpFilesize
10.8MB
-
memory/4228-152-0x00007FFF2BE70000-0x00007FFF2C931000-memory.dmpFilesize
10.8MB
-
memory/4228-154-0x000002813FAB0000-0x000002813FB26000-memory.dmpFilesize
472KB
-
memory/4228-148-0x000002813F650000-0x000002813F694000-memory.dmpFilesize
272KB
-
memory/4228-147-0x000002813F4B0000-0x000002813F4D2000-memory.dmpFilesize
136KB
-
memory/4228-146-0x0000000000000000-mapping.dmp
-
memory/4332-141-0x0000000000000000-mapping.dmp
-
memory/4788-139-0x0000000000000000-mapping.dmp