d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271

General

Target

d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe
Size

91KB
MD5

6e5d1e43912474915b136390e4c75c0d
SHA1

9cc2a9246d0ac439fea9a421899c4e7015d2a524
SHA256

d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271
SHA512

cda7ff95bc51f7d61fffb1e1c682d7ec0d52f5b8b358e8024f9af56f423a59486668526a55cb11e467512c697baeaf7f98e4d4b3820d7b0095e73fa6b75b101f
SSDEEP

1536:6mi+xxdgF45E4h2Hnq8OFnouy8CBZVDYTwtaRdoYVJ42fDQIDEG59VW:6mi+/dgy5Ef8doutaZZYCajVJ40MKk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1904	osk.exe
4844	WINWORD.EXE
1004	WINWORD.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-134-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x000a000000022e17-137.dat	upx
behavioral2/files/0x000a000000022e17-138.dat	upx
behavioral2/memory/2200-141-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1904-143-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0009000000022e2c-145.dat	upx
behavioral2/memory/1904-147-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0009000000022e2c-146.dat	upx
behavioral2/files/0x0007000000022e2d-150.dat	upx
behavioral2/files/0x0009000000022e2c-152.dat	upx
behavioral2/memory/4844-153-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1004-156-0x0000000011000000-0x000000001102F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	osk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINWORD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	osk.exe
File opened (read-only)	\??\X:	osk.exe
File opened (read-only)	\??\Y:	osk.exe
File opened (read-only)	\??\E:	osk.exe
File opened (read-only)	\??\H:	osk.exe
File opened (read-only)	\??\M:	osk.exe
File opened (read-only)	\??\O:	osk.exe
File opened (read-only)	\??\Q:	osk.exe
File opened (read-only)	\??\F:	osk.exe
File opened (read-only)	\??\J:	osk.exe
File opened (read-only)	\??\R:	osk.exe
File opened (read-only)	\??\U:	osk.exe
File opened (read-only)	\??\K:	osk.exe
File opened (read-only)	\??\T:	osk.exe
File opened (read-only)	\??\W:	osk.exe
File opened (read-only)	\??\Z:	osk.exe
File opened (read-only)	\??\P:	osk.exe
File opened (read-only)	\??\V:	osk.exe
File opened (read-only)	\??\B:	osk.exe
File opened (read-only)	\??\G:	osk.exe
File opened (read-only)	\??\I:	osk.exe
File opened (read-only)	\??\L:	osk.exe
File opened (read-only)	\??\N:	osk.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\ExpandNew.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\OpenPop.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1904	osk.exe
1904	osk.exe
1904	osk.exe
1904	osk.exe
4844	WINWORD.EXE
4844	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe
1904	osk.exe
4844	WINWORD.EXE
1004	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2604	2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe	83
PID 2200 wrote to memory of 2604	2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe	83
PID 2200 wrote to memory of 1904	2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe	84
PID 2200 wrote to memory of 1904	2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe	84
PID 2200 wrote to memory of 1904	2200	d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe	84
PID 1904 wrote to memory of 4844	1904	osk.exe	85
PID 1904 wrote to memory of 4844	1904	osk.exe	85
PID 1904 wrote to memory of 4844	1904	osk.exe	85
PID 4844 wrote to memory of 1004	4844	WINWORD.EXE	86
PID 4844 wrote to memory of 1004	4844	WINWORD.EXE	86
PID 4844 wrote to memory of 1004	4844	WINWORD.EXE	86

C:\Users\Admin\AppData\Local\Temp\d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe
"C:\Users\Admin\AppData\Local\Temp\d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271 .doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\d8cbef9b1f51bbf869bfa065060a4e592065beb9f0c85e04612cf92f97235271 .doc

Filesize
41KB

MD5
60bbb6b4d80ed07a58dbd20ebcf537ac

SHA1
f54e93851e0f4768c77e7b25f79ad19d81ad08f9

SHA256
9487c91d4a343a540a124f9a6767fc85cf0927e52ffdf5175954b0baa713b21d

SHA512
b8a1fba197dc9082e32f2ef42eb7f902efef8ec115f7d72e0db9a086a3e96b99c1aa4c36108e77998fccee4f1b1a7864fec7ae1f16559a762eb2f35de91a19fe

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
memory/1004-156-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1904-143-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1904-147-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2200-134-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2200-141-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2604-158-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-165-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-157-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-168-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-159-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-160-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-161-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-162-0x00007FFDF8030000-0x00007FFDF8040000-memory.dmp

Filesize
64KB

Download
memory/2604-163-0x00007FFDF8030000-0x00007FFDF8040000-memory.dmp

Filesize
64KB

Download
memory/2604-167-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/2604-166-0x00007FFDFA5B0000-0x00007FFDFA5C0000-memory.dmp

Filesize
64KB

Download
memory/4844-153-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads