Overview

overview

10

Static

static

8

4c8a8e5b78...47.doc

windows7-x64

10

4c8a8e5b78...47.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c8a8e5b785534584e6b34bbad989b987f9ca1e775d5fcc8542b637be7a57647.doc

  • Size

    91KB

  • MD5

    6aa719b3139c116b698a0301353730ef

  • SHA1

    a16d40091b96aad02b56c93be840624798920aec

  • SHA256

    4c8a8e5b785534584e6b34bbad989b987f9ca1e775d5fcc8542b637be7a57647

  • SHA512

    cd41162a9ab12d5107b4210f33ea4595eeec857244da51e9aa095a6c71fce26986295a2c8fe68d4dd4395f87f1548211b01f49934a3fce5c70f090c2f3e8d483

  • SSDEEP

    768:u9nA7UKF6qH2sYzyTrZ0c9eDUxz99dA3QDiHRm7kJx90SWuEilvRt3B2XpyHQiVJ:EKfRYyF0c9eDU3s3QSWEN4XkwiA49h

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://savepic.su/5479081.png
exe.dropper

http://app.www3-myups.org/officess.exe

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4c8a8e5b785534584e6b34bbad989b987f9ca1e775d5fcc8542b637be7a57647.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.2.2 -n 2
        3⤵
        • Runs ping.exe
        PID:1760
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:1484
        • C:\Windows\SysWOW64\cscript.exe
          cscript.exe "c:\Users\Admin\AppData\Local\Temp\""adobeacd""-update"".""v""bs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
              5⤵
                PID:1976
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          2⤵
            PID:856

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
          Filesize

          1KB

          MD5

          f311b20007267c2b3c8192589648403d

          SHA1

          4a92f6ac898415972173ea9de7e425d4420dc2db

          SHA256

          a9370d5791f5783158e6722aacc95c69fa8f2f206051bc73d05723b055b144b1

          SHA512

          d88fd4b7ddd1c96a4b1beffa4734028b164d02f983cb49dc321610ba7dd69f4e24db51c45a80e0a1124c3b35f569b2ed1770d2e0ef5d08dda74879290ef0fa07

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
          Filesize

          239B

          MD5

          5938638a06e50a981387a34587c29ca9

          SHA1

          942134217557d655b5182301a5056273359554d7

          SHA256

          d2e6300c50e2b8b912d40b9fa759aee3776d9ddd0368f579049a9d8b80c6c573

          SHA512

          6cf7e4ffc8ee05285c6b989c5b5d71ac54c9ed2fca8f63924dbf7d806ecbe2ce9d5570baa6392db82c58e33d44246e2f03b6c1bab8defff066635e0ea5e7b227

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
          Filesize

          439B

          MD5

          02e86f62a7ce13e9d67f55f8a2150403

          SHA1

          e8f7e86c6542031a9d1b3099cfceabbec07f7f5e

          SHA256

          5e59dc114ea4430ce4d12116cc85978bbd18268c6169aabd77d7c8b1a6cf9bf3

          SHA512

          ee91bac272ee4d4b77cbb6a8885bf461d1e781bf8b66d817e6cea23361a0f27023ebb7a8e77c4ac26913fa4da53d4383a5ab0eff8b5bab370b6f7edcf2ca0bd9

          Download Submit

        • memory/856-98-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1100-101-0x000000006A630000-0x000000006ABDB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1100-99-0x000000006A630000-0x000000006ABDB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1100-97-0x0000000004AF0000-0x0000000004BF4000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1108-78-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-81-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-70-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-69-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-68-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-67-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-66-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-65-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-64-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-72-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-73-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-77-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-76-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-75-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-74-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-54-0x0000000072B11000-0x0000000072B14000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1108-79-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-80-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-82-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-71-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-83-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-84-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-85-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1108-61-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-55-0x0000000070591000-0x0000000070593000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1108-89-0x000000007157D000-0x0000000071588000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1108-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1108-57-0x0000000075B41000-0x0000000075B43000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1108-63-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-62-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-59-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-60-0x00000000006E3000-0x00000000006E7000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1108-58-0x000000007157D000-0x0000000071588000-memory.dmp

          Filesize

          44KB

          Download