Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
30-01-2023 22:32
Behavioral task
behavioral1
Sample
baddoc.doc
Resource
win7-20220901-es
Behavioral task
behavioral2
Sample
baddoc.doc
Resource
win10v2004-20220812-es
General
-
Target
baddoc.doc
-
Size
62KB
-
MD5
a3b613d128aace09241504e8acc678c2
-
SHA1
edde71ccadfad1380b881da5ecafc77fba5885b8
-
SHA256
8b92c23b29422131acc150fa1ebac67e1b0b0f8cfc1b727805b842a88de447de
-
SHA512
cef74b5b9fb3c4dba72650401dfe31b059db239a3248e1c9b91ab7f95907080d1b6258b32e4817184540129339f60c95f4e9e991d115e8414aea3b108eaf8dec
-
SSDEEP
768:+0MGUUTYQin+b4C7UqCVuO1BtWmxzdrZUIdjXgAmxZp2j5s2p:+0MGUUTYQic8qS1XndrZf8pMV
Malware Config
Extracted
http://91.220.131.44/upd/install.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1928 4460 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 48 2812 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4460 WINWORD.EXE 4460 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2812 powershell.exe 2812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2812 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4460 WINWORD.EXE 4460 WINWORD.EXE 4460 WINWORD.EXE 4460 WINWORD.EXE 4460 WINWORD.EXE 4460 WINWORD.EXE 4460 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.execscript.exepowershell.exedescription pid process target process PID 4460 wrote to memory of 1928 4460 WINWORD.EXE cmd.exe PID 4460 wrote to memory of 1928 4460 WINWORD.EXE cmd.exe PID 1928 wrote to memory of 3652 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 3652 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 4264 1928 cmd.exe chcp.com PID 1928 wrote to memory of 4264 1928 cmd.exe chcp.com PID 1928 wrote to memory of 4988 1928 cmd.exe cscript.exe PID 1928 wrote to memory of 4988 1928 cmd.exe cscript.exe PID 4988 wrote to memory of 2812 4988 cscript.exe powershell.exe PID 4988 wrote to memory of 2812 4988 cscript.exe powershell.exe PID 2812 wrote to memory of 1500 2812 powershell.exe cmd.exe PID 2812 wrote to memory of 1500 2812 powershell.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\baddoc.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Users\Admin\AppData\Local\Temp\adobeacd-update.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.2.2 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\chcp.comchcp 12513⤵
-
C:\Windows\system32\cscript.execscript.exe "c:\Users\Admin\AppData\Local\Temp\adobeacd-update"".""v""bs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\Users\Admin\AppData\Local\Temp\444.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\adobeacd-update.ps1Filesize
1KB
MD5f4e07dbef9faa1cb3b47cac04f06b094
SHA1aa8acb13858c2d9979f76e88759b43e43919669a
SHA25690af729d2d78dccb4ac1aeaa24ea50fa13cc54a883bad6de05bbf33d90577f0d
SHA512dd02098ff345875b25c94a6bfa4481c36bfd41cf5d0868715719bd6952cebca990881aacccba9da0a581b36725201da88f28d356de40179953f06a78742f59ec
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.batFilesize
207B
MD5bcee45f249102dd87bc0445925e1dc65
SHA15652e6a5aa3178329def77f50e54529997e0cfad
SHA25684b6d24219105e86f42329300278bbefa03ff6b40116123f3d19ff3c20f6ec9a
SHA512c6290cc42bc452ce9d4bd284909da7f735d571dedf98e55809c1d91b0272db2a09e76865f2f476a7a2a1833126920ed7f2f9fab5d400bf2d0fb0ff381b432480
-
\??\c:\Users\Admin\AppData\Local\Temp\adobeacd-update.vbsFilesize
357B
MD54595af11d7e8f623a9c1c3169d9bf20c
SHA111874e9d2ecada1b01dd1d05a8aa835bd4a31714
SHA2564ed9c705449ec3a1a2afd425b478ae80d339c03498eb56dc19d7516fd9cadded
SHA512b4a6edff072d77f389da0e93ad834e54e7c4e078cc3c2344ea939730720d8305dc72324d4b791ea0bb833724df9f96d7facd26970c74be8d5b0ee3bafe735cf3
-
memory/1500-156-0x0000000000000000-mapping.dmp
-
memory/1928-140-0x0000000000000000-mapping.dmp
-
memory/2812-146-0x0000000000000000-mapping.dmp
-
memory/2812-149-0x0000026E10700000-0x0000026E10710000-memory.dmpFilesize
64KB
-
memory/2812-157-0x0000026E29050000-0x0000026E290C6000-memory.dmpFilesize
472KB
-
memory/2812-155-0x0000026E28F50000-0x0000026E28F90000-memory.dmpFilesize
256KB
-
memory/2812-154-0x00007FFFC2D00000-0x00007FFFC37C1000-memory.dmpFilesize
10.8MB
-
memory/2812-152-0x0000026E28D50000-0x0000026E28D94000-memory.dmpFilesize
272KB
-
memory/2812-151-0x00007FFFC2D00000-0x00007FFFC37C1000-memory.dmpFilesize
10.8MB
-
memory/2812-150-0x0000026E29160000-0x0000026E29262000-memory.dmpFilesize
1.0MB
-
memory/2812-147-0x0000026E28DC0000-0x0000026E28E42000-memory.dmpFilesize
520KB
-
memory/2812-148-0x0000026E10BC0000-0x0000026E10BE2000-memory.dmpFilesize
136KB
-
memory/3652-142-0x0000000000000000-mapping.dmp
-
memory/4264-143-0x0000000000000000-mapping.dmp
-
memory/4460-134-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-132-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-135-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-133-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-136-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-137-0x00007FFFAD0B0000-0x00007FFFAD0C0000-memory.dmpFilesize
64KB
-
memory/4460-138-0x00007FFFAD0B0000-0x00007FFFAD0C0000-memory.dmpFilesize
64KB
-
memory/4460-139-0x000001AED7D70000-0x000001AED7D74000-memory.dmpFilesize
16KB
-
memory/4460-159-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-160-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-161-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4460-162-0x00007FFFAF1F0000-0x00007FFFAF200000-memory.dmpFilesize
64KB
-
memory/4988-144-0x0000000000000000-mapping.dmp