Analysis
-
max time kernel
109s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
24-11-2022 09:11
General
-
Target
PO_97309373_Karl_Meinz_Gen._Co.doc.exe
-
Size
791KB
-
MD5
ba51fb93aed8c9bb74990ab647dabd53
-
SHA1
d15c1724ea659527cfdeba0ec0c4a07a9cdba5a1
-
SHA256
214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844
-
SHA512
352674fc850d821a71f7194caf8b74c80a8876deae008d98bb5f1884d0f5abfa16b0b8cf661378244e934961494823ca7290e1b5d4cf8bfd9248841a48399774
-
SSDEEP
24576:tt24wzbUct6DVLMmRzfDn3mes+W8lqLzaFmqj:JucJTJfbmesV6qLzaFmqj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe"C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com"C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com" ccsiv.hsw2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comC:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com C:\Users\Admin\AppData\Roaming\nvmvk\JKKRU3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM mshta.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nvmvk\JKKRUFilesize
117KB
MD526b4a17150fd293003f10de5e27585b8
SHA159a4e7426526b0a18158b4163eed8e2d5a2561d6
SHA256082b41f71cc5a5118e1f70f49e059763d48fc072e7fc28f8efb11076537461f3
SHA512231ae48c34ae97d14b0205ee7dcf7c04cb37f222647a8e5c449d230a538c92be10d1783bb398b0e28e845de6b5eb4060ade962927f7aa92dca18edeb4cc6723f
-
C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.docFilesize
47KB
MD590e6379ae7b00aa812a1416222791530
SHA1a5709b5e55bcdfe2c0dad1a9cc1e6a3696123023
SHA2568b5779bce8aeaed0cadb20c814d79279ab91363bcfc1fbbd59ab888fdad12a39
SHA512d4bd9a430ea0a36e20312c1326f672e6f46f7b209ee322459466a70079d140be3340250ce860d3124cd6522fca4eeb9aff055a704198371b7d171cc83f96db0d
-
C:\Users\Admin\AppData\Roaming\nvmvk\YMQGIXFilesize
33KB
MD5b7869e01ac4bf487efc16c4d7ea50cef
SHA1f242def3b2400b0feead481fc4977eaa3a0edcb6
SHA256d0400ed0c3590e325b056fbf6a1b718fbcc5c644db59bcab56bc490ae84a0fa5
SHA5128b525ee668195047b14709dc8259c05f53fb6bc6e0c8092e8be44c2e029006bc15165ea15ce5bc5886d4520a99f32b53b10035d125fffa632311dee88c020c9b
-
C:\Users\Admin\AppData\Roaming\nvmvk\ccsiv.hswFilesize
115KB
MD5f0b969dad556c428a35c962d73682ccf
SHA1d7f3eff148925c54354c06324fbdc0ca2b363a09
SHA2563bc5b85f3700606a8b5b3dfdb17f7774936258c3df4b8f8800eed18b14568c80
SHA5126cb6c2ca2cb62e8ae1d614f65eb2b4f4c1a7426fed418a8c91dc246b8a08ed8c596ad6bcc4e0c3bc8ca075c09906f2c56ee2e5970a5595c39f9fdc90f6226f38
-
C:\Users\Admin\AppData\Roaming\nvmvk\nogsm.uxoFilesize
117KB
MD5c494b12717cf1b923cee39393db9d01e
SHA121e81e970c91801231d90a4f5cbfadd1429b7856
SHA2562815cce3c1d7d3383ec24eb89878487f9c8e482216cf4fd508c338269fd20519
SHA51255d058d212ee64e1971bd7912276973ae6703afca4c1c732f6e98a979b5f8b3c6cc354b30c5f0f4e4be0b71285123cd195f7cf6855abaab2f448a7cf352c9733
-
C:\Users\Admin\AppData\Roaming\nvmvk\uguhiFilesize
68KB
MD5b5f6ead0902f100c40ad5fd8ecfc7729
SHA1a4b4b7b7018587f495b43f289beec0e5a08ec2eb
SHA25670d7270b6b3dbd922ffcf6296b5c90a3276bebe902b7eca3b29aaa84a5397dd0
SHA5121779c93c6a80270cab4a884ca4c2d5cd72461b0e5e774ee807a040d00deca9bb4c08de6da6eb6d6d422527ec62d6e450700021da309f72ceb656f23f449ce138
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
memory/432-91-0x0000000000000000-mapping.dmp
-
memory/1120-83-0x0000000000000000-mapping.dmp
-
memory/1208-89-0x0000000000000000-mapping.dmp
-
memory/1452-93-0x0000000000000000-mapping.dmp
-
memory/1492-79-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1492-78-0x0000000000000000-mapping.dmp
-
memory/1536-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1536-64-0x0000000072FD1000-0x0000000072FD4000-memory.dmpFilesize
12KB
-
memory/1536-103-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/1536-80-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/1536-102-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1536-73-0x0000000070A51000-0x0000000070A53000-memory.dmpFilesize
8KB
-
memory/1536-55-0x0000000000000000-mapping.dmp
-
memory/1536-76-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/1616-95-0x0000000000000000-mapping.dmp
-
memory/1784-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1860-97-0x0000000000000000-mapping.dmp
-
memory/1868-61-0x0000000000000000-mapping.dmp
-
memory/1868-101-0x0000000000401F8F-mapping.dmp
-
memory/1924-81-0x0000000000000000-mapping.dmp
-
memory/1984-70-0x0000000000000000-mapping.dmp
-
memory/2008-87-0x0000000000000000-mapping.dmp
-
memory/2040-85-0x0000000000000000-mapping.dmp