Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 02:27
Static task
static1
Behavioral task
behavioral1
Sample
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
Resource
win7v20210410
General
-
Target
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
-
Size
409KB
-
MD5
ba3916c609c877870cfe6c582d7aa82e
-
SHA1
4f6583881ea79793e59d1ab58dfcb95d4eb09cca
-
SHA256
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058
-
SHA512
709a27fc0dfadb446126d42049c46ac96c0b993f31a0a7c7a7e4745e55111ce904f4bbb296774c9f59fb2ad5e6451572813ab5eb6f0966e65db9067b4eac63ee
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
F121.tmppid process 188 F121.tmp -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc office_xlm_macros -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
F121.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings F121.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3708 WINWORD.EXE 3708 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
F121.tmppid process 188 F121.tmp -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3708 WINWORD.EXE 3708 WINWORD.EXE 3708 WINWORD.EXE 3708 WINWORD.EXE 3708 WINWORD.EXE 3708 WINWORD.EXE 3708 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exeF121.tmpdescription pid process target process PID 3872 wrote to memory of 188 3872 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe F121.tmp PID 3872 wrote to memory of 188 3872 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe F121.tmp PID 3872 wrote to memory of 188 3872 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe F121.tmp PID 188 wrote to memory of 3708 188 F121.tmp WINWORD.EXE PID 188 wrote to memory of 3708 188 F121.tmp WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\F121.tmp"C:\Users\Admin\AppData\Local\Temp\F121.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 7A9F13B03A077CBF37C10BFDF1E2B0074797004E72DC191F7764A434A9CBFCF0F78DE7732D05523890469E09406AC2F0F03BC0A7F41AD24025265E25FE1D8D982⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F121.tmpMD5
9341181176bca6f12a44030869f8bcf8
SHA1009e5c70e540d0c11ca569c03ab359cbf2655d12
SHA256698720d1f8104d33c98c8bf67b361827a03f3a1380f0bdf6106723d6aa97b5f6
SHA51292574cb9c2715ae2d77ff7eb1a18e0bbee6b6a6ec2734cb0ea8baa9b61d96333d93b1f9de15bc9ee0abfe6965941d4a12a0dcb79da8142f4afb882b4dd21a8b7
-
C:\Users\Admin\AppData\Local\Temp\F121.tmpMD5
9341181176bca6f12a44030869f8bcf8
SHA1009e5c70e540d0c11ca569c03ab359cbf2655d12
SHA256698720d1f8104d33c98c8bf67b361827a03f3a1380f0bdf6106723d6aa97b5f6
SHA51292574cb9c2715ae2d77ff7eb1a18e0bbee6b6a6ec2734cb0ea8baa9b61d96333d93b1f9de15bc9ee0abfe6965941d4a12a0dcb79da8142f4afb882b4dd21a8b7
-
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.docMD5
12e57ae08f64353b3c3b3d08681aaaf1
SHA136b6aca282497c65d41513b231d247b0187651f1
SHA25607498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308
SHA512aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8
-
memory/188-114-0x0000000000000000-mapping.dmp
-
memory/3708-120-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3708-119-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3708-118-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3708-121-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3708-123-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3708-122-0x00007FF8E9640000-0x00007FF8EC163000-memory.dmpFilesize
43.1MB
-
memory/3708-126-0x00007FF8E3360000-0x00007FF8E444E000-memory.dmpFilesize
16.9MB
-
memory/3708-127-0x00007FF8E1460000-0x00007FF8E3355000-memory.dmpFilesize
31.0MB
-
memory/3708-117-0x0000000000000000-mapping.dmp