Analysis
-
max time kernel
172s -
max time network
188s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe
Resource
win10-en-20211208
General
-
Target
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe
-
Size
10.1MB
-
MD5
da05ba791af7598665117a366e74cd9d
-
SHA1
7ef754a4e914eaec88a8084e2b613b981cfdc23d
-
SHA256
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2
-
SHA512
ef0f0ee4ee393fa57544bf39e0e111f40e95a7465264f7c84568a5cf1b0ae9f3fea3c37b4f8df065d4355afd0ba654126721ce9e226364ab7b284a9ad5753268
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings 15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe -
Office document contains embedded OLE objects 1 IoCs
Detected embedded OLE objects in Office documents.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2 .docx office_ole_embedded -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 484 WINWORD.EXE 484 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exedescription pid process Token: SeDebugPrivilege 3824 15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE 484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exedescription pid process target process PID 3824 wrote to memory of 484 3824 15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe WINWORD.EXE PID 3824 wrote to memory of 484 3824 15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe"C:\Users\Admin\AppData\Local\Temp\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe"1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2 .docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2 .docx
MD53e84c9c09db215e450846c60971ca881
SHA1d2a06520f76f0a6632d3608e2d5dc7027e10dc74
SHA256f9c5de40a6ec864a183c83e4457383b93acab8fa30a323083d4fb33dfa24ca18
SHA512c5d2491ec6686e25c27a47f0a6da7e2b4551e0e5a749b270daeb1f0639b07bfe21ea13437331ade5bab60b3d8e6d36b2b0b6d954f47d68e2dc7d3d158f606276