a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b

General

Target

a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm
Size

24KB
MD5

41e4704e3df740dd52892e2a8050a184
SHA1

d28771e1d01e02639ef5265ed774824bdbcd8b74
SHA256

a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b
SHA512

0e70b94526d48235d06c9a87e9a19f6f69af1f9bbf4e3787281676320b119061590dbebf75be40a0e252f4432a3b164db24a2f2a416e6a15cd2763eeab1297b2
SSDEEP

384:0Cdfgra/RjfuFsp9ZpaAvmODnLy3PuBHmbPFdGDCnZ21OP:mra/ci7ZpxmwLQuBMPvGDzO

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://danidata.dk/js/bin.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2356	4032	cmd.exe	WINWORD.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

796 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4032 WINWORD.EXE
4032 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3684 powershell.exe
3684 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3684 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE

pid	process
796	PING.EXE

pid	process
4032	WINWORD.EXE
4032	WINWORD.EXE

pid	process
3684	powershell.exe
3684	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3684	powershell.exe

pid	process
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 4032 wrote to memory of 2356	4032	WINWORD.EXE	cmd.exe
PID 4032 wrote to memory of 2356	4032	WINWORD.EXE	cmd.exe
PID 2356 wrote to memory of 796	2356	cmd.exe	PING.EXE
PID 2356 wrote to memory of 796	2356	cmd.exe	PING.EXE
PID 2356 wrote to memory of 2052	2356	cmd.exe	chcp.com
PID 2356 wrote to memory of 2052	2356	cmd.exe	chcp.com
PID 2356 wrote to memory of 3928	2356	cmd.exe	cscript.exe
PID 2356 wrote to memory of 3928	2356	cmd.exe	cscript.exe
PID 3928 wrote to memory of 3684	3928	cscript.exe	powershell.exe
PID 3928 wrote to memory of 3684	3928	cscript.exe	powershell.exe
PID 3684 wrote to memory of 3268	3684	powershell.exe	cmd.exe
PID 3684 wrote to memory of 3268	3684	powershell.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:796

C:\Windows\system32\chcp.com
chcp 1251
3⤵
PID:2052

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
dcbe272ee08203bf155923322aa61518

SHA1
739e63c3ce63c39cd1f40ff0c3813857bc75a762

SHA256
adae6d26be4a3930ed9b92b6b1a3c57a70527ea19bc4504320c5c1734c452568

SHA512
004141f496fab8361eb7a6a8b45f02ffca820677c69a614464bb11279bfb15999fda0e49aaa68e6379d8a6b89a64e1b732e28a7f57bcec704405826e07df04e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
116B

MD5
4922a773060a96738c0309ff2266e9b0

SHA1
4b2effb130c3c0af0c0d17566ea40ddcba59a50e

SHA256
9d005399621525cef2397ca6ebaae4dd373781bec66d362712df8431cbdd1a03

SHA512
ce612df4b8516dbfd0f332b3419cc858d2ebc2211d56f75c917d4af551fa20b3936558b4e0036e57844c8865f8ed9b75c7fdf2d49c0cd2e9acf655516d9ddd04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
398B

MD5
f274f67c467b49b9d278ca3b4196b5d0

SHA1
8b80213e280bf2b40057a3b5269a540c387fd036

SHA256
79253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1

SHA512
12daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b

Download Submit
memory/796-141-0x0000000000000000-mapping.dmp

Download
memory/2052-142-0x0000000000000000-mapping.dmp

Download
memory/2356-139-0x0000000000000000-mapping.dmp

Download
memory/3268-151-0x0000000000000000-mapping.dmp

Download
memory/3684-147-0x0000018A787C0000-0x0000018A78804000-memory.dmp

Filesize
272KB

Download
memory/3684-149-0x00007FFDE6C30000-0x00007FFDE76F1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-152-0x0000018A78890000-0x0000018A78906000-memory.dmp

Filesize
472KB

Download
memory/3684-150-0x00007FFDE6C30000-0x00007FFDE76F1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-146-0x0000018A78180000-0x0000018A781A2000-memory.dmp

Filesize
136KB

Download
memory/3684-145-0x0000000000000000-mapping.dmp

Download
memory/3928-143-0x0000000000000000-mapping.dmp

Download
memory/4032-135-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp

Filesize
64KB

Download
memory/4032-132-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp

Filesize
64KB

Download
memory/4032-134-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp

Filesize
64KB

Download
memory/4032-138-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp

Filesize
64KB

Download
memory/4032-136-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp

Filesize
64KB

Download
memory/4032-133-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmp

Filesize
64KB

Download
memory/4032-137-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads