Analysis
-
max time kernel
10s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 14:40
Static task
static1
Behavioral task
behavioral1
Sample
ÿոdocx.exe
Resource
win7-20220812-en
General
-
Target
ÿոdocx.exe
-
Size
56KB
-
MD5
53bd8b97c02d09b92f8508108e788e4e
-
SHA1
1c0c87df4e56d667047e51838b57ed0f792608d8
-
SHA256
889ec7d82299313b7665d062df39c1158361308582fed001661fc469347ceefa
-
SHA512
198471e3eb1a8c89da9b8401b3316fe4f60eb454e573bdc665cf0668fa3035d14a3ef0ee7915b073fe1bdd6892ac635a3fe55ce96b38ebbe9cff8ebe3d76962c
-
SSDEEP
768:0MTeJfcWsPRIOKcGlO/qR13Clrs8qj2DGI2:07JNmRbWMkYsADF
Malware Config
Signatures
-
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
k4.exek4.exek4.exek4.exepid process 2544 k4.exe 3536 k4.exe 2544 k4.exe 3536 k4.exe -
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
k4.exek4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 k4.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2932 taskkill.exe 2932 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2932 taskkill.exe Token: SeDebugPrivilege 2932 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ÿոdocx.exeÿոdocx.exepid process 4444 ÿոdocx.exe 4444 ÿոdocx.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
ÿոdocx.execmd.exeÿոdocx.execmd.exedescription pid process target process PID 4444 wrote to memory of 2544 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 2544 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 3536 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 3536 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe PID 4444 wrote to memory of 2544 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 2544 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 3536 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 3536 4444 ÿոdocx.exe k4.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 4444 wrote to memory of 5084 4444 ÿոdocx.exe cmd.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe PID 5084 wrote to memory of 2932 5084 cmd.exe taskkill.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
ÿոdocx.exeÿոdocx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ÿոdocx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ÿոdocx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"C:\Users\Admin\AppData\Local\Temp\ÿոdocx.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/2544-132-0x0000000000000000-mapping.dmp
-
memory/2544-132-0x0000000000000000-mapping.dmp
-
memory/2932-138-0x0000000000000000-mapping.dmp
-
memory/2932-138-0x0000000000000000-mapping.dmp
-
memory/3536-135-0x0000000000000000-mapping.dmp
-
memory/3536-135-0x0000000000000000-mapping.dmp
-
memory/5084-137-0x0000000000000000-mapping.dmp
-
memory/5084-137-0x0000000000000000-mapping.dmp