Analysis
-
max time kernel
107s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 11:08
Behavioral task
behavioral1
Sample
Flag 'B' - Dos and Don'ts for Procurement under LOCs.pdf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Flag 'B' - Dos and Don'ts for Procurement under LOCs.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Flag 'C' - Handbook on Lines of Credit.pdf
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Flag 'C' - Handbook on Lines of Credit.pdf
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
Flag-'A'-LOC_flowcharts-New.doc.js
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
Flag-'A'-LOC_flowcharts-New.doc.js
Resource
win10v2004-20220812-en
General
-
Target
Flag-'A'-LOC_flowcharts-New.doc.js
-
Size
290KB
-
MD5
16b292e205cae359bddba8052ee51ab1
-
SHA1
45e704ed5995a83b56146034e7c42172c3bacf7a
-
SHA256
942e26b9c769bbfd6a9cb2237d4b7a0788d95bc2a144f41bba38b300133027ff
-
SHA512
07fa4f502555dd057f490f43937f85ea7856fee33f34b36dd1ad5e96afdc650548dc932ee2df15a5ea0f7197cfed2a70578e57513a92b191df1a7c83f4016334
-
SSDEEP
3072:Cj+nRsIgyLXBJgHj8m/b4aMnODn0ACJAMotP/0Q5oY/mEVbN:rnRsIgC3ij8m/bMOgotP8QqCHbN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3172 WINWORD.EXE 3172 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE 3172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
wscript.exedescription pid process target process PID 956 wrote to memory of 4136 956 wscript.exe WScript.exe PID 956 wrote to memory of 4136 956 wscript.exe WScript.exe PID 956 wrote to memory of 3172 956 wscript.exe WINWORD.EXE PID 956 wrote to memory of 3172 956 wscript.exe WINWORD.EXE
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.doc.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\win.js" PfkeDoGrcYlpF7dqI4j_2⤵PID:4136
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\win.jsFilesize
18KB
MD516530898d8dd54709617f122c1a49151
SHA16a1f8ed00c44e969d26575e47d855eab992820cc
SHA256e47c22fc09636037e95b0a15fd6849c381ec94975e04830b56d45ac7983de4e4
SHA51242b18a19e65f39b5d6b8e6bba44acc6d3e4cfa20bce2533bb55dcd4a5a33f124af8670322bd6474241ad446de7ee89b4121389b4fbc8a6027688ce3c67721381
-
C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.docFilesize
195KB
MD57b4cd9aed159f43c351353fa5ab1f002
SHA1a21d82264ac6a972dbf3e3d857cef00703fc036e
SHA2565e2cab6efb3b6ceacbd857fc6a97841d649b3c1902a4e63d1bfb7b366148cccd
SHA512099348ade1c4d683a41b4c8725743945d2c14507f02ee73bf7cff6a5c131e4235b0e5ff80ef1931c1ffbd772c5cb7e3e4b927b922c4070d3409c2da927141eb5
-
memory/3172-138-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-135-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-136-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-137-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-139-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-140-0x00007FFCEC080000-0x00007FFCEC090000-memory.dmpFilesize
64KB
-
memory/3172-141-0x00007FFCEC080000-0x00007FFCEC090000-memory.dmpFilesize
64KB
-
memory/3172-134-0x0000000000000000-mapping.dmp
-
memory/3172-144-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-145-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-146-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/3172-147-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmpFilesize
64KB
-
memory/4136-132-0x0000000000000000-mapping.dmp