Analysis
-
max time kernel
162s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 03:36
Behavioral task
behavioral1
Sample
a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm
Resource
win10v2004-20220812-en
General
-
Target
a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm
-
Size
24KB
-
MD5
41e4704e3df740dd52892e2a8050a184
-
SHA1
d28771e1d01e02639ef5265ed774824bdbcd8b74
-
SHA256
a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b
-
SHA512
0e70b94526d48235d06c9a87e9a19f6f69af1f9bbf4e3787281676320b119061590dbebf75be40a0e252f4432a3b164db24a2f2a416e6a15cd2763eeab1297b2
-
SSDEEP
384:0Cdfgra/RjfuFsp9ZpaAvmODnLy3PuBHmbPFdGDCnZ21OP:mra/ci7ZpxmwLQuBMPvGDzO
Malware Config
Extracted
http://danidata.dk/js/bin.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2356 4032 cmd.exe WINWORD.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4032 WINWORD.EXE 4032 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3684 powershell.exe 3684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3684 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4032 WINWORD.EXE 4032 WINWORD.EXE 4032 WINWORD.EXE 4032 WINWORD.EXE 4032 WINWORD.EXE 4032 WINWORD.EXE 4032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 4032 wrote to memory of 2356 4032 WINWORD.EXE cmd.exe PID 4032 wrote to memory of 2356 4032 WINWORD.EXE cmd.exe PID 2356 wrote to memory of 796 2356 cmd.exe PING.EXE PID 2356 wrote to memory of 796 2356 cmd.exe PING.EXE PID 2356 wrote to memory of 2052 2356 cmd.exe chcp.com PID 2356 wrote to memory of 2052 2356 cmd.exe chcp.com PID 2356 wrote to memory of 3928 2356 cmd.exe cscript.exe PID 2356 wrote to memory of 3928 2356 cmd.exe cscript.exe PID 3928 wrote to memory of 3684 3928 cscript.exe powershell.exe PID 3928 wrote to memory of 3684 3928 cscript.exe powershell.exe PID 3684 wrote to memory of 3268 3684 powershell.exe cmd.exe PID 3684 wrote to memory of 3268 3684 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a2f07c6892b95212c64a850f56a43b73fc5dc34b9efb2fcf14598442196cf29b.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 12513⤵
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5dcbe272ee08203bf155923322aa61518
SHA1739e63c3ce63c39cd1f40ff0c3813857bc75a762
SHA256adae6d26be4a3930ed9b92b6b1a3c57a70527ea19bc4504320c5c1734c452568
SHA512004141f496fab8361eb7a6a8b45f02ffca820677c69a614464bb11279bfb15999fda0e49aaa68e6379d8a6b89a64e1b732e28a7f57bcec704405826e07df04e9
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
116B
MD54922a773060a96738c0309ff2266e9b0
SHA14b2effb130c3c0af0c0d17566ea40ddcba59a50e
SHA2569d005399621525cef2397ca6ebaae4dd373781bec66d362712df8431cbdd1a03
SHA512ce612df4b8516dbfd0f332b3419cc858d2ebc2211d56f75c917d4af551fa20b3936558b4e0036e57844c8865f8ed9b75c7fdf2d49c0cd2e9acf655516d9ddd04
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
398B
MD5f274f67c467b49b9d278ca3b4196b5d0
SHA18b80213e280bf2b40057a3b5269a540c387fd036
SHA25679253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1
SHA51212daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b
-
memory/796-141-0x0000000000000000-mapping.dmp
-
memory/2052-142-0x0000000000000000-mapping.dmp
-
memory/2356-139-0x0000000000000000-mapping.dmp
-
memory/3268-151-0x0000000000000000-mapping.dmp
-
memory/3684-147-0x0000018A787C0000-0x0000018A78804000-memory.dmpFilesize
272KB
-
memory/3684-149-0x00007FFDE6C30000-0x00007FFDE76F1000-memory.dmpFilesize
10.8MB
-
memory/3684-152-0x0000018A78890000-0x0000018A78906000-memory.dmpFilesize
472KB
-
memory/3684-150-0x00007FFDE6C30000-0x00007FFDE76F1000-memory.dmpFilesize
10.8MB
-
memory/3684-146-0x0000018A78180000-0x0000018A781A2000-memory.dmpFilesize
136KB
-
memory/3684-145-0x0000000000000000-mapping.dmp
-
memory/3928-143-0x0000000000000000-mapping.dmp
-
memory/4032-135-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmpFilesize
64KB
-
memory/4032-132-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmpFilesize
64KB
-
memory/4032-134-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmpFilesize
64KB
-
memory/4032-138-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmpFilesize
64KB
-
memory/4032-136-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmpFilesize
64KB
-
memory/4032-133-0x00007FFDD3350000-0x00007FFDD3360000-memory.dmpFilesize
64KB
-
memory/4032-137-0x00007FFDD0F00000-0x00007FFDD0F10000-memory.dmpFilesize
64KB