Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:50
Behavioral task
behavioral1
Sample
84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm
Resource
win10v2004-20220901-en
General
-
Target
84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm
-
Size
36KB
-
MD5
4d41aa8d48ebe4058400414209661ce1
-
SHA1
d4bb81ee3cd28bf2d7f2bebeb3abcfb010a40a40
-
SHA256
84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db
-
SHA512
207cb9feb0bf381df043f896983a1cceb50d51276c0883e7586a26932bd4a137efbc00776e08dff3ed97a403ae160595ca9eb65bba09b694b6c33570be123da2
-
SSDEEP
768:c6v3MYE5yrGJKqKcDZb+vgSGf4fKnUXXr6ffGxuH5l6:c6v8i0KDOjnm6ffGU5l6
Malware Config
Extracted
http://91.220.131.114/upd/install.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 32 4960 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 39 4184 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4960 WINWORD.EXE 4960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4184 powershell.exe 4184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4184 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 4960 wrote to memory of 32 4960 WINWORD.EXE cmd.exe PID 4960 wrote to memory of 32 4960 WINWORD.EXE cmd.exe PID 32 wrote to memory of 3692 32 cmd.exe PING.EXE PID 32 wrote to memory of 3692 32 cmd.exe PING.EXE PID 32 wrote to memory of 2440 32 cmd.exe chcp.com PID 32 wrote to memory of 2440 32 cmd.exe chcp.com PID 32 wrote to memory of 3508 32 cmd.exe cscript.exe PID 32 wrote to memory of 3508 32 cmd.exe cscript.exe PID 3508 wrote to memory of 4184 3508 cscript.exe powershell.exe PID 3508 wrote to memory of 4184 3508 cscript.exe powershell.exe PID 4184 wrote to memory of 4432 4184 powershell.exe cmd.exe PID 4184 wrote to memory of 4432 4184 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 12513⤵
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5a5606d4e993f72fa68e41f0b3c4bdc3a
SHA13c8520de628b33b98a7d56f0d69246914ea52bb5
SHA25639016def2e66910a436ce081f9cc40c1b08192052b4a93a435d6b9f998a9c03a
SHA512c40f4c58c144afcce457124b262408e6956b16d285664f62966639a3f979a2ab67d73691f819f68841d3ff4390fd71e7e13e064fd844d58229b7a9815ae2242f
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
133B
MD55fb5e5941e8075702155a334a4d2d550
SHA18f509452a0eb033db1627fea9bf0e3f67c2c1c45
SHA256f6d1ed9aaf131c3d6489e59acd62abd00bb53bb9c1a65ff4d441d8246e512f8f
SHA5123e292405a4d666653eb594efffbb8011752229f814e889ed1bf7062f7e21ddee8a82538171f5ee8b8aeb58f5d3e9ed02f29f4612f66e5c84117de70b67c26390
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
398B
MD5f274f67c467b49b9d278ca3b4196b5d0
SHA18b80213e280bf2b40057a3b5269a540c387fd036
SHA25679253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1
SHA51212daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b
-
memory/32-143-0x0000000000000000-mapping.dmp
-
memory/2440-146-0x0000000000000000-mapping.dmp
-
memory/3508-147-0x0000000000000000-mapping.dmp
-
memory/3692-145-0x0000000000000000-mapping.dmp
-
memory/4184-150-0x000002689BD00000-0x000002689BD22000-memory.dmpFilesize
136KB
-
memory/4184-149-0x0000000000000000-mapping.dmp
-
memory/4184-156-0x00000268B4450000-0x00000268B44C6000-memory.dmpFilesize
472KB
-
memory/4184-154-0x00007FFCE14A0000-0x00007FFCE1F61000-memory.dmpFilesize
10.8MB
-
memory/4184-153-0x00007FFCE14A0000-0x00007FFCE1F61000-memory.dmpFilesize
10.8MB
-
memory/4184-151-0x00000268B4380000-0x00000268B43C4000-memory.dmpFilesize
272KB
-
memory/4432-155-0x0000000000000000-mapping.dmp
-
memory/4960-139-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmpFilesize
64KB
-
memory/4960-135-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmpFilesize
64KB
-
memory/4960-137-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmpFilesize
64KB
-
memory/4960-136-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmpFilesize
64KB
-
memory/4960-138-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmpFilesize
64KB
-
memory/4960-142-0x000001F2F8C10000-0x000001F2F8C14000-memory.dmpFilesize
16KB
-
memory/4960-140-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmpFilesize
64KB
-
memory/4960-141-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmpFilesize
64KB