Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-05-2021 11:10
Static task
static1
Behavioral task
behavioral1
Sample
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
Resource
win10v20210410
General
-
Target
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe
-
Size
507KB
-
MD5
56a65bdcd8ac98ea90b9aec9bfe2b5e4
-
SHA1
189fde58d647edd83940de632dde978dd7a3823c
-
SHA256
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d
-
SHA512
3005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
cmdknsvr.exe~2932.tmpbitsInit.exepid process 796 cmdknsvr.exe 1820 ~2932.tmp 1324 bitsInit.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~2CEA.tmp.doc office_xlm_macros -
Loads dropped DLL 3 IoCs
Processes:
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.execmdknsvr.exepid process 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe 796 cmdknsvr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmst3g = "C:\\Users\\Admin\\AppData\\Roaming\\diallwiz\\cmdknsvr.exe" 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe -
Drops file in System32 directory 1 IoCs
Processes:
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exedescription ioc process File created C:\Windows\SysWOW64\bitsInit.exe 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cmdknsvr.exeExplorer.EXEbitsInit.exepid process 796 cmdknsvr.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE 1324 bitsInit.exe 1244 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE 1060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.execmdknsvr.exe~2932.tmpWINWORD.EXEdescription pid process target process PID 1636 wrote to memory of 796 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe cmdknsvr.exe PID 1636 wrote to memory of 796 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe cmdknsvr.exe PID 1636 wrote to memory of 796 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe cmdknsvr.exe PID 1636 wrote to memory of 796 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe cmdknsvr.exe PID 796 wrote to memory of 1820 796 cmdknsvr.exe ~2932.tmp PID 796 wrote to memory of 1820 796 cmdknsvr.exe ~2932.tmp PID 796 wrote to memory of 1820 796 cmdknsvr.exe ~2932.tmp PID 796 wrote to memory of 1820 796 cmdknsvr.exe ~2932.tmp PID 1820 wrote to memory of 1244 1820 ~2932.tmp Explorer.EXE PID 1636 wrote to memory of 1060 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe WINWORD.EXE PID 1636 wrote to memory of 1060 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe WINWORD.EXE PID 1636 wrote to memory of 1060 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe WINWORD.EXE PID 1636 wrote to memory of 1060 1636 6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe WINWORD.EXE PID 1060 wrote to memory of 1984 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 1984 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 1984 1060 WINWORD.EXE splwow64.exe PID 1060 wrote to memory of 1984 1060 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe"C:\Users\Admin\AppData\Local\Temp\6bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe"C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~2932.tmp"C:\Users\Admin\AppData\Local\Temp\~2932.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~2CEA.tmp.doc"3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵
-
C:\Windows\SysWOW64\bitsInit.exeC:\Windows\SysWOW64\bitsInit.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~2932.tmpMD5
e3d332acf4fb9f3e5c3ea348db8aa3b2
SHA16eeb9643e98d04f4a4d294b60a327a8ec7504959
SHA256e00c8cbcd9451eea71ecd5d41b0fac1336abc0aa896a177e2ec3b608b3ee5388
SHA512a93eb33dabb98f58d9ca14f3141b7059bae27814c0281cb40e85d6977d0608760016fc965cbe2ad1006fab3d24dff327b44bf80c6a9a212f7ded29454c07d522
-
C:\Users\Admin\AppData\Local\Temp\~2CEA.tmp.docMD5
149f0098b9faa6bcf9a8f7f2aed29fc9
SHA1244de26e12de2d715cf3a869e932a6d21b3a8b1e
SHA25634969e2f18eae8c5b9bf68dbfe92aeee74c05206237498231d03d95a0ed1941f
SHA512f98135fcaff860b66bf73fa46fb72375a5b9ee8865af113b793a85eaa5bc020c3f716c9b2709252008978071fd02be620428be8e39fefdd533a0cc3e1c207056
-
C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exeMD5
e086825688a8e982660c6a352c3def67
SHA14164f1f9417952f2792255ff607e3ebe712a5d9a
SHA256d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227
SHA5123ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b
-
C:\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exeMD5
e086825688a8e982660c6a352c3def67
SHA14164f1f9417952f2792255ff607e3ebe712a5d9a
SHA256d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227
SHA5123ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b
-
C:\Windows\SysWOW64\bitsInit.exeMD5
56a65bdcd8ac98ea90b9aec9bfe2b5e4
SHA1189fde58d647edd83940de632dde978dd7a3823c
SHA2566bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d
SHA5123005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f
-
C:\Windows\SysWOW64\bitsInit.exeMD5
56a65bdcd8ac98ea90b9aec9bfe2b5e4
SHA1189fde58d647edd83940de632dde978dd7a3823c
SHA2566bfaff1d987b257a2cecada27743464472ccc1a3099ea4dce9fc124664a8c77d
SHA5123005d1336e7abc98323635422c149d3d35eebf950a1cebb08e91db43896dca765d73635d786d37fdc1b6f209aeee1e84370570e9b35368642929aace33228e2f
-
\Users\Admin\AppData\Local\Temp\~2932.tmpMD5
e3d332acf4fb9f3e5c3ea348db8aa3b2
SHA16eeb9643e98d04f4a4d294b60a327a8ec7504959
SHA256e00c8cbcd9451eea71ecd5d41b0fac1336abc0aa896a177e2ec3b608b3ee5388
SHA512a93eb33dabb98f58d9ca14f3141b7059bae27814c0281cb40e85d6977d0608760016fc965cbe2ad1006fab3d24dff327b44bf80c6a9a212f7ded29454c07d522
-
\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exeMD5
e086825688a8e982660c6a352c3def67
SHA14164f1f9417952f2792255ff607e3ebe712a5d9a
SHA256d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227
SHA5123ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b
-
\Users\Admin\AppData\Roaming\diallwiz\cmdknsvr.exeMD5
e086825688a8e982660c6a352c3def67
SHA14164f1f9417952f2792255ff607e3ebe712a5d9a
SHA256d60552dff86258165a1134f01c952073526046deb2f3ad3b715fee72a01c2227
SHA5123ba881ad25aa74d61b60368f3c46a298a71d0c81a87442020faa95dcc9953749a29ce16b8deea018714169b167d2cef43cc64650e3ae5f7f85b7f29792643f1b
-
memory/796-64-0x0000000000000000-mapping.dmp
-
memory/796-74-0x0000000000070000-0x00000000000B0000-memory.dmpFilesize
256KB
-
memory/1060-79-0x000000006FAF1000-0x000000006FAF3000-memory.dmpFilesize
8KB
-
memory/1060-77-0x0000000000000000-mapping.dmp
-
memory/1060-78-0x0000000072071000-0x0000000072074000-memory.dmpFilesize
12KB
-
memory/1060-80-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1060-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1244-75-0x0000000002C20000-0x0000000002C63000-memory.dmpFilesize
268KB
-
memory/1324-76-0x00000000003E0000-0x0000000000472000-memory.dmpFilesize
584KB
-
memory/1636-60-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1636-61-0x0000000000120000-0x00000000001B2000-memory.dmpFilesize
584KB
-
memory/1820-69-0x0000000000000000-mapping.dmp
-
memory/1984-82-0x0000000000000000-mapping.dmp
-
memory/1984-83-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB