45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f

General

Target

45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc
Size

191KB
MD5

cf75c33403bad87a59b0161576779ba2
SHA1

e4131593e9be8b994b49241cd2700479ddbfdab1
SHA256

45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f
SHA512

79f9a2753e3076cd5febbdfb438c6f98c718c10190a7663c4140d9ddc635db10c4ea0981867b67f0188064a3d18b4bfcb46c1b6ac859eebc501ec1cdfe53a3a8
SSDEEP

3072:yI6bftBVxtWBhOSBw3GMPfY98JfZmKP7uasFMakqYTfcIh+2oALNZCiZm8:yI6bftnxtZSBC498JzP7XsqakRTfc6+e

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.2fs.com.au/tmp/rkn.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4788	3224	cmd.exe	WINWORD.EXE

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4332 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3224 WINWORD.EXE
3224 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4228 powershell.exe
4228 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4228 powershell.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE
3224 WINWORD.EXE

pid	process
4332	PING.EXE

pid	process
3224	WINWORD.EXE
3224	WINWORD.EXE

pid	process
4228	powershell.exe
4228	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4228	powershell.exe

pid	process
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE
3224	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 3224 wrote to memory of 4788	3224	WINWORD.EXE	cmd.exe
PID 3224 wrote to memory of 4788	3224	WINWORD.EXE	cmd.exe
PID 4788 wrote to memory of 4332	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 4332	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 228	4788	cmd.exe	chcp.com
PID 4788 wrote to memory of 228	4788	cmd.exe	chcp.com
PID 4788 wrote to memory of 948	4788	cmd.exe	cscript.exe
PID 4788 wrote to memory of 948	4788	cmd.exe	cscript.exe
PID 948 wrote to memory of 4228	948	cscript.exe	powershell.exe
PID 948 wrote to memory of 4228	948	cscript.exe	powershell.exe
PID 4228 wrote to memory of 448	4228	powershell.exe	cmd.exe
PID 4228 wrote to memory of 448	4228	powershell.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45d044f0b47e5b2f56cd81fd9e615e2b9960cdef3a4a9c69e11d014b4bb1d32f.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:4332

C:\Windows\system32\chcp.com
chcp 1251
3⤵
PID:228

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
c3fdf3ccaeaa6bb33165dfe18dae43e6

SHA1
deaf2ed146ab346cd406eccc928a14552dd15e19

SHA256
8606130c7a68799d185a40da2c404b2fb6dbeba6ebc7bca7751e259cec83e148

SHA512
102913925ca5d8d746b1f8f7cbd0a65294a2a023b7d6609aee3a962e74ae21fb1b373b70655851a27d4f2921b9559dce43f50d4a117f517f167c2ea09d4a5e9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
116B

MD5
4922a773060a96738c0309ff2266e9b0

SHA1
4b2effb130c3c0af0c0d17566ea40ddcba59a50e

SHA256
9d005399621525cef2397ca6ebaae4dd373781bec66d362712df8431cbdd1a03

SHA512
ce612df4b8516dbfd0f332b3419cc858d2ebc2211d56f75c917d4af551fa20b3936558b4e0036e57844c8865f8ed9b75c7fdf2d49c0cd2e9acf655516d9ddd04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
398B

MD5
f274f67c467b49b9d278ca3b4196b5d0

SHA1
8b80213e280bf2b40057a3b5269a540c387fd036

SHA256
79253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1

SHA512
12daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b

Download Submit
memory/228-143-0x0000000000000000-mapping.dmp

Download
memory/448-153-0x0000000000000000-mapping.dmp

Download
memory/948-144-0x0000000000000000-mapping.dmp

Download
memory/3224-138-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmp

Filesize
64KB

Download
memory/3224-134-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-132-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-159-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-142-0x000001C225CA0000-0x000001C225CA2000-memory.dmp

Filesize
8KB

Download
memory/3224-137-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmp

Filesize
64KB

Download
memory/3224-136-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-135-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-158-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-157-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-156-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-133-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3224-151-0x000001C225CA0000-0x000001C225CA2000-memory.dmp

Filesize
8KB

Download
memory/4228-150-0x00007FFF2BE70000-0x00007FFF2C931000-memory.dmp

Filesize
10.8MB

Download
memory/4228-152-0x00007FFF2BE70000-0x00007FFF2C931000-memory.dmp

Filesize
10.8MB

Download
memory/4228-154-0x000002813FAB0000-0x000002813FB26000-memory.dmp

Filesize
472KB

Download
memory/4228-148-0x000002813F650000-0x000002813F694000-memory.dmp

Filesize
272KB

Download
memory/4228-147-0x000002813F4B0000-0x000002813F4D2000-memory.dmp

Filesize
136KB

Download
memory/4228-146-0x0000000000000000-mapping.dmp

Download
memory/4332-141-0x0000000000000000-mapping.dmp

Download
memory/4788-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads