Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-06-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
2222.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2222.exe
Resource
win10v2004-20220414-en
General
-
Target
2222.exe
-
Size
3.3MB
-
MD5
5ac82ec1c5c3c179db55f6e283325f7f
-
SHA1
4b209d3f027d72ce9c4f5e58fea8e6985506df32
-
SHA256
f423211a5d832e9f59cb5a296057e58bc65b6a609e1ae9da4d9e96ad79294852
-
SHA512
5cfd3dd56b713bfb3fd9c171a63449727ee1c5333082dd70275dd656d9b02177f5bb9285733cede6c5804a3e6aec4cf119f03bf6608bf917bfe6269cea705c93
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
uuci.exepid process 5020 uuci.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4024 WINWORD.EXE 4024 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2222.exepid process 2912 2222.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2222.execmd.exedescription pid process target process PID 2912 wrote to memory of 3676 2912 2222.exe cmd.exe PID 2912 wrote to memory of 3676 2912 2222.exe cmd.exe PID 2912 wrote to memory of 3676 2912 2222.exe cmd.exe PID 2912 wrote to memory of 5020 2912 2222.exe uuci.exe PID 2912 wrote to memory of 5020 2912 2222.exe uuci.exe PID 2912 wrote to memory of 5020 2912 2222.exe uuci.exe PID 3676 wrote to memory of 4024 3676 cmd.exe WINWORD.EXE PID 3676 wrote to memory of 4024 3676 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2222.exe"C:\Users\Admin\AppData\Local\Temp\2222.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\统计表_20220515-20220615.docx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\统计表_20220515-20220615.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\uuci.exeC:\Users\Public\uuci.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\统计表_20220515-20220615.docxFilesize
11KB
MD509d6efb75065bb550000adb3409439ce
SHA1ebe721a26bb784be1848d6355fc701ee2e30841b
SHA2560ac174848b69d7cd2adec31b696e27a79399ac0900f6e44895f17aee5bbcced0
SHA51202ca1c535af1a0f2b7c069c07b4bed4783083c440cba4255f5978caee089f552a9ac673449d58cddcaae0518da7d86531c8712f539a63721ec56ee189eee7037
-
C:\Users\Public\uuci.exeFilesize
1.3MB
MD5f2014c6a460cc7a2afa4a8271e4ce969
SHA1bd656757a441b2bdd5ae3c116ea8682e72550f17
SHA256996f4c6c86c45bf1fd91d50f8b642c072b9e6c7e0f2166703572e7466b2c4f01
SHA51222b6b41e78d930af6dad093c1c596ba4a648eece8932332a4ce0fe0e43c4112b0c3993d79b7de14032796c1e5b626460500ec25739c7ddf695ccdc8b3404b7fe
-
C:\Users\Public\uuci.exeFilesize
1.3MB
MD5f2014c6a460cc7a2afa4a8271e4ce969
SHA1bd656757a441b2bdd5ae3c116ea8682e72550f17
SHA256996f4c6c86c45bf1fd91d50f8b642c072b9e6c7e0f2166703572e7466b2c4f01
SHA51222b6b41e78d930af6dad093c1c596ba4a648eece8932332a4ce0fe0e43c4112b0c3993d79b7de14032796c1e5b626460500ec25739c7ddf695ccdc8b3404b7fe
-
memory/3676-130-0x0000000000000000-mapping.dmp
-
memory/4024-138-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-135-0x0000000000000000-mapping.dmp
-
memory/4024-136-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-137-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-139-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-140-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-141-0x00007FF87EC50000-0x00007FF87EC60000-memory.dmpFilesize
64KB
-
memory/4024-142-0x00007FF87EC50000-0x00007FF87EC60000-memory.dmpFilesize
64KB
-
memory/4024-144-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-145-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-146-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/4024-147-0x00007FF8815B0000-0x00007FF8815C0000-memory.dmpFilesize
64KB
-
memory/5020-131-0x0000000000000000-mapping.dmp