201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542

General

Target

201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe
Size

723KB
MD5

bdb6a69ae23569a7dfb3259fefde14a5
SHA1

b0d24b8a75ea8ff8e22a1ff4e7fa2dea4e4f2749
SHA256

201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542
SHA512

3f26af94b584121d133216709653d3ee7495e67debb78fc569dd12149c3fde277e3a853464feea81bd113d324d8767948946844134396f90b7bf89b0a119e908
SSDEEP

12288:ERBk7MpC7tYR4eYLEkiw4PKEgOHS1ZBvKEjGbCAlLxgajRy9hH:EFQeYLbKKEPS1bvKE2JCajRUH

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

WScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h.vbs	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\h = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\h.vbs\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\h = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\h.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\h = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\h.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\h = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\h.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3744 WINWORD.EXE
3744 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

3744 WINWORD.EXE
3744 WINWORD.EXE
3744 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

pid	process
3744	WINWORD.EXE
3744	WINWORD.EXE

pid	process
3744	WINWORD.EXE
3744	WINWORD.EXE
3744	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.execmd.exeWScript.exe

description	pid	process	target process
PID 4868 wrote to memory of 4580	4868	201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe	cmd.exe
PID 4868 wrote to memory of 4580	4868	201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe	cmd.exe
PID 4868 wrote to memory of 4580	4868	201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe	cmd.exe
PID 4580 wrote to memory of 224	4580	cmd.exe	WScript.exe
PID 4580 wrote to memory of 224	4580	cmd.exe	WScript.exe
PID 4580 wrote to memory of 224	4580	cmd.exe	WScript.exe
PID 4580 wrote to memory of 3744	4580	cmd.exe	WINWORD.EXE
PID 4580 wrote to memory of 3744	4580	cmd.exe	WINWORD.EXE
PID 224 wrote to memory of 1500	224	WScript.exe	wscript.exe
PID 224 wrote to memory of 1500	224	WScript.exe	wscript.exe
PID 224 wrote to memory of 1500	224	WScript.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe
"C:\Users\Admin\AppData\Local\Temp\201d6cee594f4b4fb7445b7d65d79ec6574ce56463e76e5a4574b4d5ec264542.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\h.vbs && start C:\Users\Admin\Voc.doc
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\h.vbs"
3⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\h.vbs"
4⤵
- Drops startup file
- Adds Run key to start application
PID:1500

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Voc.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h.vbs

Filesize
43KB

MD5
1ec283947dc7d76854c936806f57eacf

SHA1
c7a604353750d3d4e43cfb9d813b41776855bf73

SHA256
8b8aead4157caa14460cfcabebf4084934c9a0296dba3827d32401db3a2aee43

SHA512
6dbb19b6915fd3eec68ea266ad5ff874996a3052ce32e2e0453c3b12586fbdfe33650318cc3833b7152a01603e60030fd6fcd11f7634ffdc172fb6c5db0a1a9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Voc.doc

Filesize
32KB

MD5
4478b9ae1b1b462028f6acdab4060e36

SHA1
68301c030e9948bc715adf8e38c17bd373b0ce8c

SHA256
afa9980d6a8151348f8134bebf191705740e71f2e60e39f1c6bea9ac39a498a3

SHA512
dd39f4a01b521aa061e81c8ce9a9f81b6c5a83e578b9431d6011c63927735fb32ea20f55df8d9ec26241e38bc62e32e900d5455dba77f1643cac110afe987985

Download Submit
C:\Users\Admin\h.vbs

Filesize
43KB

MD5
1ec283947dc7d76854c936806f57eacf

SHA1
c7a604353750d3d4e43cfb9d813b41776855bf73

SHA256
8b8aead4157caa14460cfcabebf4084934c9a0296dba3827d32401db3a2aee43

SHA512
6dbb19b6915fd3eec68ea266ad5ff874996a3052ce32e2e0453c3b12586fbdfe33650318cc3833b7152a01603e60030fd6fcd11f7634ffdc172fb6c5db0a1a9a

Download Submit
memory/224-135-0x0000000000000000-mapping.dmp

Download
memory/1500-138-0x0000000000000000-mapping.dmp

Download
memory/3744-137-0x0000000000000000-mapping.dmp

Download
memory/3744-141-0x00007FFA74D70000-0x00007FFA74D80000-memory.dmp

Filesize
64KB

Download
memory/3744-142-0x00007FFA74D70000-0x00007FFA74D80000-memory.dmp

Filesize
64KB

Download
memory/3744-143-0x00007FFA74D70000-0x00007FFA74D80000-memory.dmp

Filesize
64KB

Download
memory/3744-144-0x00007FFA74D70000-0x00007FFA74D80000-memory.dmp

Filesize
64KB

Download
memory/3744-145-0x00007FFA74D70000-0x00007FFA74D80000-memory.dmp

Filesize
64KB

Download
memory/3744-146-0x00007FFA72D10000-0x00007FFA72D20000-memory.dmp

Filesize
64KB

Download
memory/3744-147-0x00007FFA72D10000-0x00007FFA72D20000-memory.dmp

Filesize
64KB

Download
memory/4580-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads