84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db

General

Target

84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm
Size

36KB
MD5

4d41aa8d48ebe4058400414209661ce1
SHA1

d4bb81ee3cd28bf2d7f2bebeb3abcfb010a40a40
SHA256

84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db
SHA512

207cb9feb0bf381df043f896983a1cceb50d51276c0883e7586a26932bd4a137efbc00776e08dff3ed97a403ae160595ca9eb65bba09b694b6c33570be123da2
SSDEEP

768:c6v3MYE5yrGJKqKcDZb+vgSGf4fKnUXXr6ffGxuH5l6:c6v8i0KDOjnm6ffGU5l6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://91.220.131.114/upd/install.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	32	4960	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

39 4184 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
39	4184	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3692 PING.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4960 WINWORD.EXE
4960 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4184 powershell.exe
4184 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4184 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4960 WINWORD.EXE
4960 WINWORD.EXE
4960 WINWORD.EXE
4960 WINWORD.EXE
4960 WINWORD.EXE
4960 WINWORD.EXE
4960 WINWORD.EXE

pid	process
3692	PING.EXE

pid	process
4960	WINWORD.EXE
4960	WINWORD.EXE

pid	process
4184	powershell.exe
4184	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4184	powershell.exe

pid	process
4960	WINWORD.EXE
4960	WINWORD.EXE
4960	WINWORD.EXE
4960	WINWORD.EXE
4960	WINWORD.EXE
4960	WINWORD.EXE
4960	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execscript.exepowershell.exe

description	pid	process	target process
PID 4960 wrote to memory of 32	4960	WINWORD.EXE	cmd.exe
PID 4960 wrote to memory of 32	4960	WINWORD.EXE	cmd.exe
PID 32 wrote to memory of 3692	32	cmd.exe	PING.EXE
PID 32 wrote to memory of 3692	32	cmd.exe	PING.EXE
PID 32 wrote to memory of 2440	32	cmd.exe	chcp.com
PID 32 wrote to memory of 2440	32	cmd.exe	chcp.com
PID 32 wrote to memory of 3508	32	cmd.exe	cscript.exe
PID 32 wrote to memory of 3508	32	cmd.exe	cscript.exe
PID 3508 wrote to memory of 4184	3508	cscript.exe	powershell.exe
PID 3508 wrote to memory of 4184	3508	cscript.exe	powershell.exe
PID 4184 wrote to memory of 4432	4184	powershell.exe	cmd.exe
PID 4184 wrote to memory of 4432	4184	powershell.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\84dbeb770a728c415340d4ed6b8fd9fd66ca706e312464f1b68edd9fdf0aa0db.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\system32\PING.EXE
ping 1.1.2.2 -n 2
3⤵
- Runs ping.exe
PID:3692

C:\Windows\system32\chcp.com
chcp 1251
3⤵
PID:2440

C:\Windows\system32\cscript.exe
cscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe
5⤵
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1
Filesize
1KB

MD5
a5606d4e993f72fa68e41f0b3c4bdc3a

SHA1
3c8520de628b33b98a7d56f0d69246914ea52bb5

SHA256
39016def2e66910a436ce081f9cc40c1b08192052b4a93a435d6b9f998a9c03a

SHA512
c40f4c58c144afcce457124b262408e6956b16d285664f62966639a3f979a2ab67d73691f819f68841d3ff4390fd71e7e13e064fd844d58229b7a9815ae2242f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat
Filesize
133B

MD5
5fb5e5941e8075702155a334a4d2d550

SHA1
8f509452a0eb033db1627fea9bf0e3f67c2c1c45

SHA256
f6d1ed9aaf131c3d6489e59acd62abd00bb53bb9c1a65ff4d441d8246e512f8f

SHA512
3e292405a4d666653eb594efffbb8011752229f814e889ed1bf7062f7e21ddee8a82538171f5ee8b8aeb58f5d3e9ed02f29f4612f66e5c84117de70b67c26390

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbs
Filesize
398B

MD5
f274f67c467b49b9d278ca3b4196b5d0

SHA1
8b80213e280bf2b40057a3b5269a540c387fd036

SHA256
79253c4e93bcc34576fa2f98a243241d00c7f38e91c1bebd4afc7ea41530fca1

SHA512
12daa3c73d16eaee755151dbc7907a4dcc8082e7896ba5333a62c4380a8e31c3b9a20b38d553abe14b491ad5ba107ccc74514548696f01daaae03b35f2b3d84b

Download Submit
memory/32-143-0x0000000000000000-mapping.dmp

Download
memory/2440-146-0x0000000000000000-mapping.dmp

Download
memory/3508-147-0x0000000000000000-mapping.dmp

Download
memory/3692-145-0x0000000000000000-mapping.dmp

Download
memory/4184-150-0x000002689BD00000-0x000002689BD22000-memory.dmp

Filesize
136KB

Download
memory/4184-149-0x0000000000000000-mapping.dmp

Download
memory/4184-156-0x00000268B4450000-0x00000268B44C6000-memory.dmp

Filesize
472KB

Download
memory/4184-154-0x00007FFCE14A0000-0x00007FFCE1F61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-153-0x00007FFCE14A0000-0x00007FFCE1F61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-151-0x00000268B4380000-0x00000268B43C4000-memory.dmp

Filesize
272KB

Download
memory/4432-155-0x0000000000000000-mapping.dmp

Download
memory/4960-139-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

Filesize
64KB

Download
memory/4960-135-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

Filesize
64KB

Download
memory/4960-137-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

Filesize
64KB

Download
memory/4960-136-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

Filesize
64KB

Download
memory/4960-138-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

Filesize
64KB

Download
memory/4960-142-0x000001F2F8C10000-0x000001F2F8C14000-memory.dmp

Filesize
16KB

Download
memory/4960-140-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmp

Filesize
64KB

Download
memory/4960-141-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads