4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f

General

Target

4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
Size

143KB
MD5

6d5e05f8bf1017ed591fd60ffbb1360e
SHA1

ada2b46dc786b2fe41448b1e49e99eea14952ce3
SHA256

4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f
SHA512

9854f7a31316f9442a4058b6c510f351d9de0849eee4ecdb341e4556cfed036c992f74c21e97a0e7519bb22f8c3a4120a6f8b78aaf3081dbe4554e6545f7aee2
SSDEEP

1536:bmi+xxdgF45E4h2Hnq8OFnouy8CBZJalRG7IwKiCRa44v8Ls5:bmi+/dgy5Ef8doutaZJaQqLR34G8

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3740	osk.exe
220	WINWORD.EXE
2092	WINWORD.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-134-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/files/0x0004000000022e24-137.dat	upx
behavioral2/files/0x0004000000022e24-138.dat	upx
behavioral2/memory/4920-139-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/memory/3740-144-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/files/0x0004000000022e49-146.dat	upx
behavioral2/files/0x0004000000022e49-145.dat	upx
behavioral2/memory/3740-147-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/memory/220-150-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/files/0x0002000000022e4a-151.dat	upx
behavioral2/memory/220-160-0x0000000011000000-0x000000001103E000-memory.dmp	upx
behavioral2/files/0x0004000000022e49-159.dat	upx
behavioral2/memory/2092-163-0x0000000011000000-0x000000001103E000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	osk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WINWORD.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	WINWORD.EXE
File opened (read-only)	\??\V:	WINWORD.EXE
File opened (read-only)	\??\X:	WINWORD.EXE
File opened (read-only)	\??\B:	WINWORD.EXE
File opened (read-only)	\??\L:	WINWORD.EXE
File opened (read-only)	\??\R:	WINWORD.EXE
File opened (read-only)	\??\S:	WINWORD.EXE
File opened (read-only)	\??\U:	WINWORD.EXE
File opened (read-only)	\??\W:	WINWORD.EXE
File opened (read-only)	\??\E:	WINWORD.EXE
File opened (read-only)	\??\J:	WINWORD.EXE
File opened (read-only)	\??\M:	WINWORD.EXE
File opened (read-only)	\??\P:	WINWORD.EXE
File opened (read-only)	\??\G:	WINWORD.EXE
File opened (read-only)	\??\H:	WINWORD.EXE
File opened (read-only)	\??\I:	WINWORD.EXE
File opened (read-only)	\??\K:	WINWORD.EXE
File opened (read-only)	\??\N:	WINWORD.EXE
File opened (read-only)	\??\O:	WINWORD.EXE
File opened (read-only)	\??\Q:	WINWORD.EXE
File opened (read-only)	\??\Y:	WINWORD.EXE
File opened (read-only)	\??\F:	WINWORD.EXE
File opened (read-only)	\??\Z:	WINWORD.EXE

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\DisconnectTrace.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\StepSelect.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\TraceImport.enc	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3852	WINWORD.EXE
3852	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3740	osk.exe
3740	osk.exe
3740	osk.exe
3740	osk.exe
220	WINWORD.EXE
220	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
3740	osk.exe
220	WINWORD.EXE
2092	WINWORD.EXE
3852	WINWORD.EXE
3852	WINWORD.EXE
3852	WINWORD.EXE
3852	WINWORD.EXE
3852	WINWORD.EXE
3852	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 3852	4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe	85
PID 4920 wrote to memory of 3852	4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe	85
PID 4920 wrote to memory of 3740	4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe	86
PID 4920 wrote to memory of 3740	4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe	86
PID 4920 wrote to memory of 3740	4920	4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe	86
PID 3740 wrote to memory of 220	3740	osk.exe	87
PID 3740 wrote to memory of 220	3740	osk.exe	87
PID 3740 wrote to memory of 220	3740	osk.exe	87
PID 220 wrote to memory of 2092	220	WINWORD.EXE	88
PID 220 wrote to memory of 2092	220	WINWORD.EXE	88
PID 220 wrote to memory of 2092	220	WINWORD.EXE	88

C:\Users\Admin\AppData\Local\Temp\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe
"C:\Users\Admin\AppData\Local\Temp\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f .docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3852
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
C:\Windows\Temp\_$Cf\4d4c0c21a7e73174055c87494fb71d8db3bb86a5110b43d1c471a08dd25f353f .docx

Filesize
10KB

MD5
abfae85b84450719d7fb32688424d589

SHA1
bd7004d292afb6aec829eea1c27b13fa8c0259bc

SHA256
10bf6ec69a070ea5d28c9f76efbb5100ce849bd3439bd2a8b3dbfa0584de88c0

SHA512
0a57c1bfcf6989e5448b3dafdaccd91358d82ecdfa952bb739740aa838a75b745c6e1a238540a8013d776fa895feecf5e5a63b373517f1cb5d660b972d15ca49

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
134KB

MD5
16313c4d99088daa64cdc3863ec93335

SHA1
d4169e346c9758ee85ec7b3750d87bf6785a56f6

SHA256
597c7222db4066ab05ff8fa1622f43990d4c680748b83e867ee787431f88ffad

SHA512
e8eeef4a88c0c43d97c9b12465f41a6b69b9dbc79a894b979b01fdd4751616e16e7beb077adc232470913fa34471ed8868cc65910bc15a0a2ebce43cec2e5727

Download Submit
memory/220-160-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/220-150-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/2092-163-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/3740-147-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/3740-144-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/3852-166-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-155-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-156-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-157-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3852-153-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-169-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-154-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-168-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-164-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/3852-152-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/3852-167-0x00007FFF1A650000-0x00007FFF1A660000-memory.dmp

Filesize
64KB

Download
memory/4920-139-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download
memory/4920-134-0x0000000011000000-0x000000001103E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads