26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c

General

Target

26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe
Size

104KB
MD5

a6a9ec826b4e6ce4e20d787dae1c7757
SHA1

ccf3ed88f6a1e3ec6732bd8058eb169f93603454
SHA256

26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c
SHA512

b2f666d5717e380ee20627f5cba9b9d92e003c41df07db122cee4c7807626a5964c1da81e93eb746a246b9c150de4b4da2905e8033ca6de43537bbc3658f2ba9
SSDEEP

1536:0uHGyL8+YAiv5tkpSxt4pzuCFgVpxl8pZ:dHlO5thxzCF+pxl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	system.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.lnk	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2256	WINWORD.EXE
2256	WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe
2100	system.exe
2100	system.exe
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE
2256	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2256	448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe	81
PID 448 wrote to memory of 2256	448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe	81
PID 448 wrote to memory of 2100	448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe	82
PID 448 wrote to memory of 2100	448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe	82
PID 448 wrote to memory of 2100	448	26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe	82

C:\Users\Admin\AppData\Local\Temp\26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe
"C:\Users\Admin\AppData\Local\Temp\26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Users\Admin\AppData\Roaming\system.exe
  C:\Users\Admin\AppData\Roaming\system.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\26b0f2ac850f7750eee3ed41bc38df5d9d10584e966e259d140b6dcf0c07f94c.doc

Filesize
32KB

MD5
9e08409b5ed7c56e600a75350b7e92a3

SHA1
2f9708af19b14b2d3e539ac19f46d3abae4a1917

SHA256
811d02fb56b4deb810953d26a9dfe8d3fa36e5e15f7356dca7d6694d2a20844e

SHA512
b31822dab789e9859e78fafa569235cefd98e34cbf434d1b835a44eabe9f52422a50469c992c2c321b331d116544cc92225ded49fade536cca400e665c1ffc31

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
72KB

MD5
fd309fb5c511e6b6f6e7b0c3049e66cb

SHA1
46ffc5d8aba9f5af7c82f54863ee23a31743542b

SHA256
85ca462ae62f35b5ee0b912e1bc8be5f0cdb63002d8b8a5a42cf34c559dc3a1c

SHA512
f1626050ec3cce9b8b064cb32404bd540d8b225988eba7b192c4ad9a8f9fcb2e72f6dd40b575ecf0be7b45866e05b74e8afe8b5dc94261e7a00af95bdcdfc316

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
72KB

MD5
fd309fb5c511e6b6f6e7b0c3049e66cb

SHA1
46ffc5d8aba9f5af7c82f54863ee23a31743542b

SHA256
85ca462ae62f35b5ee0b912e1bc8be5f0cdb63002d8b8a5a42cf34c559dc3a1c

SHA512
f1626050ec3cce9b8b064cb32404bd540d8b225988eba7b192c4ad9a8f9fcb2e72f6dd40b575ecf0be7b45866e05b74e8afe8b5dc94261e7a00af95bdcdfc316

Download Submit
memory/2256-144-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-141-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-142-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-143-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-145-0x00007FFDAAC10000-0x00007FFDAAC20000-memory.dmp

Filesize
64KB

Download
memory/2256-146-0x00007FFDAAC10000-0x00007FFDAAC20000-memory.dmp

Filesize
64KB

Download
memory/2256-140-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-149-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-150-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-151-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download
memory/2256-152-0x00007FFDAD570000-0x00007FFDAD580000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads