Overview

overview

7

Static

static

3

Flag 'B' -...Cs.pdf

windows7-x64

1

Flag 'B' -...Cs.pdf

windows10-2004-x64

1

Flag 'C' -...it.pdf

windows7-x64

1

Flag 'C' -...it.pdf

windows10-2004-x64

1

Flag-'A'-L...doc.js

windows7-x64

4

Flag-'A'-L...doc.js

windows10-2004-x64

7

Analysis

  • max time kernel
    107s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2022 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Flag-'A'-LOC_flowcharts-New.doc.js

  • Size

    290KB

  • MD5

    16b292e205cae359bddba8052ee51ab1

  • SHA1

    45e704ed5995a83b56146034e7c42172c3bacf7a

  • SHA256

    942e26b9c769bbfd6a9cb2237d4b7a0788d95bc2a144f41bba38b300133027ff

  • SHA512

    07fa4f502555dd057f490f43937f85ea7856fee33f34b36dd1ad5e96afdc650548dc932ee2df15a5ea0f7197cfed2a70578e57513a92b191df1a7c83f4016334

  • SSDEEP

    3072:Cj+nRsIgyLXBJgHj8m/b4aMnODn0ACJAMotP/0Q5oY/mEVbN:rnRsIgC3ij8m/bMOgotP8QqCHbN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.doc.js
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\win.js" PfkeDoGrcYlpF7dqI4j_
      2⤵
        PID:4136
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.doc" /o ""
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3172

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\win.js
      Filesize

      18KB

      MD5

      16530898d8dd54709617f122c1a49151

      SHA1

      6a1f8ed00c44e969d26575e47d855eab992820cc

      SHA256

      e47c22fc09636037e95b0a15fd6849c381ec94975e04830b56d45ac7983de4e4

      SHA512

      42b18a19e65f39b5d6b8e6bba44acc6d3e4cfa20bce2533bb55dcd4a5a33f124af8670322bd6474241ad446de7ee89b4121389b4fbc8a6027688ce3c67721381

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Flag-'A'-LOC_flowcharts-New.doc
      Filesize

      195KB

      MD5

      7b4cd9aed159f43c351353fa5ab1f002

      SHA1

      a21d82264ac6a972dbf3e3d857cef00703fc036e

      SHA256

      5e2cab6efb3b6ceacbd857fc6a97841d649b3c1902a4e63d1bfb7b366148cccd

      SHA512

      099348ade1c4d683a41b4c8725743945d2c14507f02ee73bf7cff6a5c131e4235b0e5ff80ef1931c1ffbd772c5cb7e3e4b927b922c4070d3409c2da927141eb5

      Download Submit
    • memory/3172-138-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-135-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-136-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-137-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-139-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-140-0x00007FFCEC080000-0x00007FFCEC090000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-141-0x00007FFCEC080000-0x00007FFCEC090000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3172-144-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-145-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-146-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3172-147-0x00007FFCEE4B0000-0x00007FFCEE4C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4136-132-0x0000000000000000-mapping.dmp
      Download