Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 06:17
Static task
static1
Behavioral task
behavioral1
Sample
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
Resource
win10v20210408
General
-
Target
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe
-
Size
343KB
-
MD5
6cf1ef6ae9f35d89efbae669e3fa59cf
-
SHA1
a19ce57386dae3750e7e326a024da77717047d7d
-
SHA256
6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88
-
SHA512
abd59863bae3c8342e1583adc5df2ad383b0b3273d18da52aba1b2dec815f2415fc2bd4ded90c18a5a16c37ba9d1defe86432457111fbf10b5b95ba0861824e7
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3668 dllhhelp.exe 3500 Laungman.exe 3132 ~D680.tmp -
resource yara_rule behavioral2/files/0x000100000001ab48-192.dat office_xlm_macros -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktmugman = "C:\\Users\\Admin\\AppData\\Roaming\\attrrcfg\\dllhhelp.exe" 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Laungman.exe 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2864 WINWORD.EXE 2864 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3668 dllhhelp.exe 3668 dllhhelp.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 3500 Laungman.exe 2996 Explorer.EXE 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe 3500 Laungman.exe 2996 Explorer.EXE 3500 Laungman.exe 2996 Explorer.EXE 3500 Laungman.exe 3500 Laungman.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2996 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE Token: SeShutdownPrivilege 2996 Explorer.EXE Token: SeCreatePagefilePrivilege 2996 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE 2864 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2996 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 636 wrote to memory of 3668 636 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe 75 PID 636 wrote to memory of 3668 636 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe 75 PID 636 wrote to memory of 3668 636 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe 75 PID 3668 wrote to memory of 3132 3668 dllhhelp.exe 77 PID 3668 wrote to memory of 3132 3668 dllhhelp.exe 77 PID 3132 wrote to memory of 2996 3132 ~D680.tmp 22 PID 636 wrote to memory of 2864 636 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe 78 PID 636 wrote to memory of 2864 636 6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe 78
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe"C:\Users\Admin\AppData\Local\Temp\6a6ec0d82d0d124e65e4a0cd9c7262e51def7dfb4ed43398a41d1ec3508cee88.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe"C:\Users\Admin\AppData\Roaming\attrrcfg\dllhhelp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\~D680.tmp"C:\Users\Admin\AppData\Local\Temp\~D680.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~D6BE.tmp.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
-
C:\Windows\SysWOW64\Laungman.exeC:\Windows\SysWOW64\Laungman.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3500