670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0

General

Target

670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm
Size

21KB
MD5

720f6555332b5fee6755debc506c6dd5
SHA1

4a2d406e5aff77159ee39067383302420231b045
SHA256

670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0
SHA512

295238351c882e129ceaac7d8d248a40d24b2d085cc78817d3334f03b3bfc24fc2123bddfd393500ece4600ede743eb3b31f5d789a5153e577668658e8abfacc
SSDEEP

384:/imtZAqRZiSte7ZwedKS6w19Q/CEmkfsJyJ7sSMk+dRYHWfVMzPYkEx:/LZAqRZ7t2Zweww19Q6nSMk+Y2fVGP0

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://belombre.com/js/bin.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	832	4484	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

104 2268 powershell.exe
107 2268 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
104	2268	powershell.exe
107	2268	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4992 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4484 WINWORD.EXE
4484 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2268 powershell.exe
2268 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2268 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4484 WINWORD.EXE
4484 WINWORD.EXE
4484 WINWORD.EXE
4484 WINWORD.EXE
4484 WINWORD.EXE
4484 WINWORD.EXE
4484 WINWORD.EXE

pid	process
4992	PING.EXE

pid	process
4484	WINWORD.EXE
4484	WINWORD.EXE

pid	process
2268	powershell.exe
2268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2268	powershell.exe

pid	process
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEcmd.execscript.exe

description	pid	process	target process
PID 4484 wrote to memory of 832	4484	WINWORD.EXE	cmd.exe
PID 4484 wrote to memory of 832	4484	WINWORD.EXE	cmd.exe
PID 832 wrote to memory of 4992	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 4992	832	cmd.exe	PING.EXE
PID 832 wrote to memory of 3412	832	cmd.exe	cscript.exe
PID 832 wrote to memory of 3412	832	cmd.exe	cscript.exe
PID 3412 wrote to memory of 2268	3412	cscript.exe	powershell.exe
PID 3412 wrote to memory of 2268	3412	cscript.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:4992

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
dbe0df0ea16c82857c8b21a18e3d5dc4

SHA1
34da2a37991a9c0d636861dd598e49ed7400e50e

SHA256
35cb45bf4b886175868c0c41bbc7822c1615a18678d0cfce3a9b43d91087d3b9

SHA512
ebe5a173456885255da3eb432543fe912ba26287c636e0f7585f6d17cb08f32b33cac24b5c637f84cdf1ce0199c2621ffbeb2236ce7a6f873b8e2bd6055cb837

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
105B

MD5
887e69d78ec4cdd87bd91bde8d1202ea

SHA1
24e2d56daf1660916e12085c9a05f0e203e1d797

SHA256
37043a8c9988e89e9726fa3a8dd9a0fbee8d4d96c6fa87788b1ca247fd33a90f

SHA512
d6931aec563e2a34b92ae5084f57ccfa5ed62de2b6d1dcb428c04611460e5fc763a4d0271184134469c650ae99d276c0376fd666d57f3fc17a32e2f8a878a631

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
669B

MD5
ffc36f926b285039fac6a9d1935a902c

SHA1
187f3f56d94f35bddd58a53b3420c8444d50bd30

SHA256
3e2165633ad34ce60ecfe72de564506f25ecdcba79a52b4ed42213c7f722ff64

SHA512
97560c3192ff6d81a515abd5103ccde9f1df3ebe49ed18b20e2431b5e20fc0ebe210f1fcc845377996cdcd043cc6f4e0d21d75181a7b022f46f82469336569fa

Download Submit
memory/832-139-0x0000000000000000-mapping.dmp

Download
memory/2268-147-0x0000020E3E730000-0x0000020E3E774000-memory.dmp

Filesize
272KB

Download
memory/2268-145-0x0000000000000000-mapping.dmp

Download
memory/2268-150-0x00007FF910450000-0x00007FF910F11000-memory.dmp

Filesize
10.8MB

Download
memory/2268-148-0x00007FF910450000-0x00007FF910F11000-memory.dmp

Filesize
10.8MB

Download
memory/2268-146-0x0000020E3E5B0000-0x0000020E3E5D2000-memory.dmp

Filesize
136KB

Download
memory/3412-143-0x0000000000000000-mapping.dmp

Download
memory/4484-133-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmp

Filesize
64KB

Download
memory/4484-132-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmp

Filesize
64KB

Download
memory/4484-142-0x000002594BEBB000-0x000002594BEBD000-memory.dmp

Filesize
8KB

Download
memory/4484-137-0x00007FF8FAD20000-0x00007FF8FAD30000-memory.dmp

Filesize
64KB

Download
memory/4484-135-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmp

Filesize
64KB

Download
memory/4484-136-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmp

Filesize
64KB

Download
memory/4484-134-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmp

Filesize
64KB

Download
memory/4484-138-0x00007FF8FAD20000-0x00007FF8FAD30000-memory.dmp

Filesize
64KB

Download
memory/4992-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads