Analysis
-
max time kernel
10s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-09-2022 14:40
Static task
static1
Behavioral task
behavioral1
Sample
ÿոdocx.exe
Resource
win7-20220812-en
General
-
Target
ÿոdocx.exe
-
Size
56KB
-
MD5
53bd8b97c02d09b92f8508108e788e4e
-
SHA1
1c0c87df4e56d667047e51838b57ed0f792608d8
-
SHA256
889ec7d82299313b7665d062df39c1158361308582fed001661fc469347ceefa
-
SHA512
198471e3eb1a8c89da9b8401b3316fe4f60eb454e573bdc665cf0668fa3035d14a3ef0ee7915b073fe1bdd6892ac635a3fe55ce96b38ebbe9cff8ebe3d76962c
-
SSDEEP
768:0MTeJfcWsPRIOKcGlO/qR13Clrs8qj2DGI2:07JNmRbWMkYsADF
Malware Config
Signatures
-
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
k4.exek4.exek4.exek4.exepid process 1496 k4.exe 1724 k4.exe 1496 k4.exe 1724 k4.exe -
Loads dropped DLL 2 IoCs
Processes:
ÿոdocx.exeÿոdocx.exepid process 1956 ÿոdocx.exe 1956 ÿոdocx.exe -
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1704 taskkill.exe 1704 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
k4.exek4.exedescription pid process Token: SeLoadDriverPrivilege 1724 k4.exe Token: SeLoadDriverPrivilege 1724 k4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ÿոdocx.exeÿոdocx.exepid process 1956 ÿոdocx.exe 1956 ÿոdocx.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
ÿոdocx.execmd.exeÿոdocx.execmd.exedescription pid process target process PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1496 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1724 1956 ÿոdocx.exe k4.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1956 wrote to memory of 1592 1956 ÿոdocx.exe cmd.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe PID 1592 wrote to memory of 1704 1592 cmd.exe taskkill.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/1496-58-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1496-56-0x0000000000000000-mapping.dmp
-
memory/1496-56-0x0000000000000000-mapping.dmp
-
memory/1496-58-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1592-63-0x0000000000000000-mapping.dmp
-
memory/1592-63-0x0000000000000000-mapping.dmp
-
memory/1704-64-0x0000000000000000-mapping.dmp
-
memory/1704-64-0x0000000000000000-mapping.dmp
-
memory/1724-60-0x0000000000000000-mapping.dmp
-
memory/1724-60-0x0000000000000000-mapping.dmp
-
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB