98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5

General

Target

98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe
Size

45KB
MD5

a1102bf6a13b4d10cb525322dc72e9f0
SHA1

dffc57614ae85c360f48016856589d49e87596ae
SHA256

98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5
SHA512

44741b28703e70aa2530460329d71162808f1b663dd15f2d00976ffbfb2d2d448f44c98e23df762e3b14fde9650f6afdbd971384bea602b6d3937eef8c0c33a6
SSDEEP

768:qqaG868R8Z8s888m8E8Qvl7ydDYs/fZf/zoVmYQz2MVg8m40BE09LnzjBdtpNL0q:NBzq+5hRpfvl7mDYwfZfbImYQzW8m4kt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4892	WinW0rd.exe
4684	winw0rd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Office = "C:\\Users\\Admin\\AppData\\Roaming\\WinW0rd.exe"	winw0rd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winw0rd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Office = "C:\\Users\\Admin\\AppData\\Roaming\\WinW0rd.exe"	winw0rd.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winw0rd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4256 set thread context of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4892 set thread context of 4684	4892	WinW0rd.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4256 wrote to memory of 4924	4256	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	82
PID 4924 wrote to memory of 4892	4924	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	83
PID 4924 wrote to memory of 4892	4924	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	83
PID 4924 wrote to memory of 4892	4924	98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe	83
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84
PID 4892 wrote to memory of 4684	4892	WinW0rd.exe	84

C:\Users\Admin\AppData\Local\Temp\98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe
"C:\Users\Admin\AppData\Local\Temp\98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256
- \??\c:\users\admin\appdata\local\temp\98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe
  "c:\users\admin\appdata\local\temp\98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Roaming\WinW0rd.exe
    "C:\Users\Admin\AppData\Roaming\WinW0rd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - \??\c:\users\admin\appdata\roaming\winw0rd.exe
      "c:\users\admin\appdata\roaming\winw0rd.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinW0rd.exe

Filesize
45KB

MD5
a1102bf6a13b4d10cb525322dc72e9f0

SHA1
dffc57614ae85c360f48016856589d49e87596ae

SHA256
98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5

SHA512
44741b28703e70aa2530460329d71162808f1b663dd15f2d00976ffbfb2d2d448f44c98e23df762e3b14fde9650f6afdbd971384bea602b6d3937eef8c0c33a6

Download Submit
C:\Users\Admin\AppData\Roaming\WinW0rd.exe

Filesize
45KB

MD5
a1102bf6a13b4d10cb525322dc72e9f0

SHA1
dffc57614ae85c360f48016856589d49e87596ae

SHA256
98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5

SHA512
44741b28703e70aa2530460329d71162808f1b663dd15f2d00976ffbfb2d2d448f44c98e23df762e3b14fde9650f6afdbd971384bea602b6d3937eef8c0c33a6

Download Submit
C:\Users\Admin\AppData\Roaming\WinW0rd.exe

Filesize
45KB

MD5
a1102bf6a13b4d10cb525322dc72e9f0

SHA1
dffc57614ae85c360f48016856589d49e87596ae

SHA256
98b66820c856c99d8067d811a3e70bee69a3a355851be064cb8bd4bd58823cd5

SHA512
44741b28703e70aa2530460329d71162808f1b663dd15f2d00976ffbfb2d2d448f44c98e23df762e3b14fde9650f6afdbd971384bea602b6d3937eef8c0c33a6

Download Submit
memory/4924-133-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4924-135-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4924-136-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing