f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058

General

Target

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
Size

409KB
MD5

ba3916c609c877870cfe6c582d7aa82e
SHA1

4f6583881ea79793e59d1ab58dfcb95d4eb09cca
SHA256

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058
SHA512

709a27fc0dfadb446126d42049c46ac96c0b993f31a0a7c7a7e4745e55111ce904f4bbb296774c9f59fb2ad5e6451572813ab5eb6f0966e65db9067b4eac63ee

Score

8^/10

macro xlm

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

F121.tmp

pid process

188 F121.tmp

pid	process
188	F121.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc	office_xlm_macros

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

F121.tmp

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings F121.tmp
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3708 WINWORD.EXE
3708 WINWORD.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

F121.tmp

pid process

188 F121.tmp
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3708 WINWORD.EXE
3708 WINWORD.EXE
3708 WINWORD.EXE
3708 WINWORD.EXE
3708 WINWORD.EXE
3708 WINWORD.EXE
3708 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	F121.tmp

pid	process
3708	WINWORD.EXE
3708	WINWORD.EXE

pid	process
188	F121.tmp

pid	process
3708	WINWORD.EXE
3708	WINWORD.EXE
3708	WINWORD.EXE
3708	WINWORD.EXE
3708	WINWORD.EXE
3708	WINWORD.EXE
3708	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exeF121.tmp

description	pid	process	target process
PID 3872 wrote to memory of 188	3872	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	F121.tmp
PID 3872 wrote to memory of 188	3872	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	F121.tmp
PID 3872 wrote to memory of 188	3872	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	F121.tmp
PID 188 wrote to memory of 3708	188	F121.tmp	WINWORD.EXE
PID 188 wrote to memory of 3708	188	F121.tmp	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
"C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\F121.tmp
"C:\Users\Admin\AppData\Local\Temp\F121.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 7A9F13B03A077CBF37C10BFDF1E2B0074797004E72DC191F7764A434A9CBFCF0F78DE7732D05523890469E09406AC2F0F03BC0A7F41AD24025265E25FE1D8D98
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:188

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3708

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F121.tmp
MD5
9341181176bca6f12a44030869f8bcf8

SHA1
009e5c70e540d0c11ca569c03ab359cbf2655d12

SHA256
698720d1f8104d33c98c8bf67b361827a03f3a1380f0bdf6106723d6aa97b5f6

SHA512
92574cb9c2715ae2d77ff7eb1a18e0bbee6b6a6ec2734cb0ea8baa9b61d96333d93b1f9de15bc9ee0abfe6965941d4a12a0dcb79da8142f4afb882b4dd21a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F121.tmp
MD5
9341181176bca6f12a44030869f8bcf8

SHA1
009e5c70e540d0c11ca569c03ab359cbf2655d12

SHA256
698720d1f8104d33c98c8bf67b361827a03f3a1380f0bdf6106723d6aa97b5f6

SHA512
92574cb9c2715ae2d77ff7eb1a18e0bbee6b6a6ec2734cb0ea8baa9b61d96333d93b1f9de15bc9ee0abfe6965941d4a12a0dcb79da8142f4afb882b4dd21a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc
MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
memory/188-114-0x0000000000000000-mapping.dmp

Download
memory/3708-120-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3708-119-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3708-118-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3708-121-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3708-123-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3708-122-0x00007FF8E9640000-0x00007FF8EC163000-memory.dmp

Filesize
43.1MB

Download
memory/3708-126-0x00007FF8E3360000-0x00007FF8E444E000-memory.dmp

Filesize
16.9MB

Download
memory/3708-127-0x00007FF8E1460000-0x00007FF8E3355000-memory.dmp

Filesize
31.0MB

Download
memory/3708-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads