214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844

Analysis

max time kernel
186s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe
Size

791KB
MD5

ba51fb93aed8c9bb74990ab647dabd53
SHA1

d15c1724ea659527cfdeba0ec0c4a07a9cdba5a1
SHA256

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844
SHA512

352674fc850d821a71f7194caf8b74c80a8876deae008d98bb5f1884d0f5abfa16b0b8cf661378244e934961494823ca7290e1b5d4cf8bfd9248841a48399774
SSDEEP

24576:tt24wzbUct6DVLMmRzfDn3mes+W8lqLzaFmqj:JucJTJfbmesV6qLzaFmqj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

umsmr.comumsmr.com

pid process

4980 umsmr.com
4788 umsmr.com

pid	process
4980	umsmr.com
4788	umsmr.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exeumsmr.com

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	umsmr.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

umsmr.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	umsmr.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\umsmr.com C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\ccsiv.hsw"	umsmr.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3716 taskkill.exe

pid	process
3716	taskkill.exe

Modifies registry class 1 IoCs

Processes:

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

umsmr.com

pid process

4788 umsmr.com
4788 umsmr.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3716 taskkill.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE
1372 WINWORD.EXE

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE

pid	process
4788	umsmr.com
4788	umsmr.com

description	pid	process
Token: SeDebugPrivilege	3716	taskkill.exe

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exeumsmr.comumsmr.comcmd.exe

description	pid	process	target process
PID 3196 wrote to memory of 1372	3196	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe	WINWORD.EXE
PID 3196 wrote to memory of 1372	3196	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe	WINWORD.EXE
PID 3196 wrote to memory of 4980	3196	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe	umsmr.com
PID 3196 wrote to memory of 4980	3196	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe	umsmr.com
PID 3196 wrote to memory of 4980	3196	214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe	umsmr.com
PID 4980 wrote to memory of 4788	4980	umsmr.com	umsmr.com
PID 4980 wrote to memory of 4788	4980	umsmr.com	umsmr.com
PID 4980 wrote to memory of 4788	4980	umsmr.com	umsmr.com
PID 4788 wrote to memory of 1428	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 1428	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 1428	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 1708	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 1708	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 1708	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3268	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3268	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3268	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3704	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3704	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 3704	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4472	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4472	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4472	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 536	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 536	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 536	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4336	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4336	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4336	4788	umsmr.com	mshta.exe
PID 4788 wrote to memory of 4544	4788	umsmr.com	cmd.exe
PID 4788 wrote to memory of 4544	4788	umsmr.com	cmd.exe
PID 4788 wrote to memory of 4544	4788	umsmr.com	cmd.exe
PID 4544 wrote to memory of 3716	4544	cmd.exe	taskkill.exe
PID 4544 wrote to memory of 3716	4544	cmd.exe	taskkill.exe
PID 4544 wrote to memory of 3716	4544	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe
"C:\Users\Admin\AppData\Local\Temp\214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3196

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
"C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com" ccsiv.hsw
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com C:\Users\Admin\AppData\Roaming\nvmvk\OCFOH
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1428

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1708

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:3268

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:3704

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4472

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:536

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nvmvk\OCFOH

Filesize
117KB

MD5
26b4a17150fd293003f10de5e27585b8

SHA1
59a4e7426526b0a18158b4163eed8e2d5a2561d6

SHA256
082b41f71cc5a5118e1f70f49e059763d48fc072e7fc28f8efb11076537461f3

SHA512
231ae48c34ae97d14b0205ee7dcf7c04cb37f222647a8e5c449d230a538c92be10d1783bb398b0e28e845de6b5eb4060ade962927f7aa92dca18edeb4cc6723f

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc

Filesize
47KB

MD5
90e6379ae7b00aa812a1416222791530

SHA1
a5709b5e55bcdfe2c0dad1a9cc1e6a3696123023

SHA256
8b5779bce8aeaed0cadb20c814d79279ab91363bcfc1fbbd59ab888fdad12a39

SHA512
d4bd9a430ea0a36e20312c1326f672e6f46f7b209ee322459466a70079d140be3340250ce860d3124cd6522fca4eeb9aff055a704198371b7d171cc83f96db0d

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\YMQGIX

Filesize
33KB

MD5
b7869e01ac4bf487efc16c4d7ea50cef

SHA1
f242def3b2400b0feead481fc4977eaa3a0edcb6

SHA256
d0400ed0c3590e325b056fbf6a1b718fbcc5c644db59bcab56bc490ae84a0fa5

SHA512
8b525ee668195047b14709dc8259c05f53fb6bc6e0c8092e8be44c2e029006bc15165ea15ce5bc5886d4520a99f32b53b10035d125fffa632311dee88c020c9b

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\ccsiv.hsw

Filesize
115KB

MD5
f0b969dad556c428a35c962d73682ccf

SHA1
d7f3eff148925c54354c06324fbdc0ca2b363a09

SHA256
3bc5b85f3700606a8b5b3dfdb17f7774936258c3df4b8f8800eed18b14568c80

SHA512
6cb6c2ca2cb62e8ae1d614f65eb2b4f4c1a7426fed418a8c91dc246b8a08ed8c596ad6bcc4e0c3bc8ca075c09906f2c56ee2e5970a5595c39f9fdc90f6226f38

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\nogsm.uxo

Filesize
117KB

MD5
c494b12717cf1b923cee39393db9d01e

SHA1
21e81e970c91801231d90a4f5cbfadd1429b7856

SHA256
2815cce3c1d7d3383ec24eb89878487f9c8e482216cf4fd508c338269fd20519

SHA512
55d058d212ee64e1971bd7912276973ae6703afca4c1c732f6e98a979b5f8b3c6cc354b30c5f0f4e4be0b71285123cd195f7cf6855abaab2f448a7cf352c9733

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\uguhi

Filesize
68KB

MD5
b5f6ead0902f100c40ad5fd8ecfc7729

SHA1
a4b4b7b7018587f495b43f289beec0e5a08ec2eb

SHA256
70d7270b6b3dbd922ffcf6296b5c90a3276bebe902b7eca3b29aaa84a5397dd0

SHA512
1779c93c6a80270cab4a884ca4c2d5cd72461b0e5e774ee807a040d00deca9bb4c08de6da6eb6d6d422527ec62d6e450700021da309f72ceb656f23f449ce138

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com

Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com

Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com

Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
memory/536-155-0x0000000000000000-mapping.dmp

Download
memory/1372-147-0x00007FFBB44B0000-0x00007FFBB44C0000-memory.dmp

Filesize
64KB

Download
memory/1372-143-0x00007FFBB44B0000-0x00007FFBB44C0000-memory.dmp

Filesize
64KB

Download
memory/1372-144-0x00007FFBB44B0000-0x00007FFBB44C0000-memory.dmp

Filesize
64KB

Download
memory/1372-145-0x00007FFBB44B0000-0x00007FFBB44C0000-memory.dmp

Filesize
64KB

Download
memory/1372-146-0x00007FFBB44B0000-0x00007FFBB44C0000-memory.dmp

Filesize
64KB

Download
memory/1372-132-0x0000000000000000-mapping.dmp

Download
memory/1372-148-0x00007FFBB2450000-0x00007FFBB2460000-memory.dmp

Filesize
64KB

Download
memory/1372-149-0x00007FFBB2450000-0x00007FFBB2460000-memory.dmp

Filesize
64KB

Download
memory/1428-142-0x0000000000000000-mapping.dmp

Download
memory/1708-151-0x0000000000000000-mapping.dmp

Download
memory/3268-152-0x0000000000000000-mapping.dmp

Download
memory/3704-153-0x0000000000000000-mapping.dmp

Download
memory/3716-158-0x0000000000000000-mapping.dmp

Download
memory/4336-156-0x0000000000000000-mapping.dmp

Download
memory/4472-154-0x0000000000000000-mapping.dmp

Download
memory/4544-157-0x0000000000000000-mapping.dmp

Download
memory/4788-139-0x0000000000000000-mapping.dmp

Download
memory/4980-133-0x0000000000000000-mapping.dmp

Download