Analysis
-
max time kernel
196s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 03:37
Behavioral task
behavioral1
Sample
670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm
Resource
win10v2004-20221111-en
General
-
Target
670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm
-
Size
21KB
-
MD5
720f6555332b5fee6755debc506c6dd5
-
SHA1
4a2d406e5aff77159ee39067383302420231b045
-
SHA256
670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0
-
SHA512
295238351c882e129ceaac7d8d248a40d24b2d085cc78817d3334f03b3bfc24fc2123bddfd393500ece4600ede743eb3b31f5d789a5153e577668658e8abfacc
-
SSDEEP
384:/imtZAqRZiSte7ZwedKS6w19Q/CEmkfsJyJ7sSMk+dRYHWfVMzPYkEx:/LZAqRZ7t2Zweww19Q6nSMk+Y2fVGP0
Malware Config
Extracted
http://belombre.com/js/bin.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 832 4484 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 104 2268 powershell.exe 107 2268 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4484 WINWORD.EXE 4484 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2268 powershell.exe 2268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2268 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEcmd.execscript.exedescription pid process target process PID 4484 wrote to memory of 832 4484 WINWORD.EXE cmd.exe PID 4484 wrote to memory of 832 4484 WINWORD.EXE cmd.exe PID 832 wrote to memory of 4992 832 cmd.exe PING.EXE PID 832 wrote to memory of 4992 832 cmd.exe PING.EXE PID 832 wrote to memory of 3412 832 cmd.exe cscript.exe PID 832 wrote to memory of 3412 832 cmd.exe cscript.exe PID 3412 wrote to memory of 2268 3412 cscript.exe powershell.exe PID 3412 wrote to memory of 2268 3412 cscript.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\670011a08ddcde9d1892593a968f87e9e8800248f6bb9b8967b05ec4c34b64d0.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5dbe0df0ea16c82857c8b21a18e3d5dc4
SHA134da2a37991a9c0d636861dd598e49ed7400e50e
SHA25635cb45bf4b886175868c0c41bbc7822c1615a18678d0cfce3a9b43d91087d3b9
SHA512ebe5a173456885255da3eb432543fe912ba26287c636e0f7585f6d17cb08f32b33cac24b5c637f84cdf1ce0199c2621ffbeb2236ce7a6f873b8e2bd6055cb837
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
105B
MD5887e69d78ec4cdd87bd91bde8d1202ea
SHA124e2d56daf1660916e12085c9a05f0e203e1d797
SHA25637043a8c9988e89e9726fa3a8dd9a0fbee8d4d96c6fa87788b1ca247fd33a90f
SHA512d6931aec563e2a34b92ae5084f57ccfa5ed62de2b6d1dcb428c04611460e5fc763a4d0271184134469c650ae99d276c0376fd666d57f3fc17a32e2f8a878a631
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
669B
MD5ffc36f926b285039fac6a9d1935a902c
SHA1187f3f56d94f35bddd58a53b3420c8444d50bd30
SHA2563e2165633ad34ce60ecfe72de564506f25ecdcba79a52b4ed42213c7f722ff64
SHA51297560c3192ff6d81a515abd5103ccde9f1df3ebe49ed18b20e2431b5e20fc0ebe210f1fcc845377996cdcd043cc6f4e0d21d75181a7b022f46f82469336569fa
-
memory/832-139-0x0000000000000000-mapping.dmp
-
memory/2268-147-0x0000020E3E730000-0x0000020E3E774000-memory.dmpFilesize
272KB
-
memory/2268-145-0x0000000000000000-mapping.dmp
-
memory/2268-150-0x00007FF910450000-0x00007FF910F11000-memory.dmpFilesize
10.8MB
-
memory/2268-148-0x00007FF910450000-0x00007FF910F11000-memory.dmpFilesize
10.8MB
-
memory/2268-146-0x0000020E3E5B0000-0x0000020E3E5D2000-memory.dmpFilesize
136KB
-
memory/3412-143-0x0000000000000000-mapping.dmp
-
memory/4484-133-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmpFilesize
64KB
-
memory/4484-132-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmpFilesize
64KB
-
memory/4484-142-0x000002594BEBB000-0x000002594BEBD000-memory.dmpFilesize
8KB
-
memory/4484-137-0x00007FF8FAD20000-0x00007FF8FAD30000-memory.dmpFilesize
64KB
-
memory/4484-135-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmpFilesize
64KB
-
memory/4484-136-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmpFilesize
64KB
-
memory/4484-134-0x00007FF8FD290000-0x00007FF8FD2A0000-memory.dmpFilesize
64KB
-
memory/4484-138-0x00007FF8FAD20000-0x00007FF8FAD30000-memory.dmpFilesize
64KB
-
memory/4992-141-0x0000000000000000-mapping.dmp