15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2

General

Target

15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe
Size

10.1MB
MD5

da05ba791af7598665117a366e74cd9d
SHA1

7ef754a4e914eaec88a8084e2b613b981cfdc23d
SHA256

15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2
SHA512

ef0f0ee4ee393fa57544bf39e0e111f40e95a7465264f7c84568a5cf1b0ae9f3fea3c37b4f8df065d4355afd0ba654126721ce9e226364ab7b284a9ad5753268

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe

Office document contains embedded OLE objects 1 IoCs

Detected embedded OLE objects in Office documents.

resource	yara_rule
behavioral2/files/0x000600000001ab0c-252.dat	office_ole_embedded

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
484	WINWORD.EXE
484	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 484	3824	15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe	68
PID 3824 wrote to memory of 484	3824	15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe	68

C:\Users\Admin\AppData\Local\Temp\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe
"C:\Users\Admin\AppData\Local\Temp\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\15c87b1820b67d4d2b082e81fd7946dd00a1072441b7551e38fccd5575bf18c2 .docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-126-0x00007FFDF89F0000-0x00007FFDF8A00000-memory.dmp

Filesize
64KB

Download
memory/484-120-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-121-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-122-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-123-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-129-0x00007FFDF89F0000-0x00007FFDF8A00000-memory.dmp

Filesize
64KB

Download
memory/484-119-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-346-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-347-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-348-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/484-349-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmp

Filesize
64KB

Download
memory/3824-118-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads