Analysis
-
max time kernel
188s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
PO_97309373_Karl_Meinz_Gen._Co.doc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PO_97309373_Karl_Meinz_Gen._Co.doc.exe
Resource
win10v2004-20221111-en
General
-
Target
PO_97309373_Karl_Meinz_Gen._Co.doc.exe
-
Size
791KB
-
MD5
ba51fb93aed8c9bb74990ab647dabd53
-
SHA1
d15c1724ea659527cfdeba0ec0c4a07a9cdba5a1
-
SHA256
214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844
-
SHA512
352674fc850d821a71f7194caf8b74c80a8876deae008d98bb5f1884d0f5abfa16b0b8cf661378244e934961494823ca7290e1b5d4cf8bfd9248841a48399774
-
SSDEEP
24576:tt24wzbUct6DVLMmRzfDn3mes+W8lqLzaFmqj:JucJTJfbmesV6qLzaFmqj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
umsmr.comumsmr.compid process 2732 umsmr.com 2464 umsmr.com -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO_97309373_Karl_Meinz_Gen._Co.doc.exeumsmr.comdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation PO_97309373_Karl_Meinz_Gen._Co.doc.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation umsmr.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
umsmr.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run umsmr.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\umsmr.com C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\ccsiv.hsw" umsmr.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
umsmr.comdescription pid process target process PID 2464 set thread context of 5036 2464 umsmr.com RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5064 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
PO_97309373_Karl_Meinz_Gen._Co.doc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings PO_97309373_Karl_Meinz_Gen._Co.doc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 780 WINWORD.EXE 780 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
umsmr.compid process 2464 umsmr.com 2464 umsmr.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 5064 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 780 WINWORD.EXE 780 WINWORD.EXE 780 WINWORD.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
PO_97309373_Karl_Meinz_Gen._Co.doc.exeumsmr.comumsmr.comcmd.exedescription pid process target process PID 3548 wrote to memory of 780 3548 PO_97309373_Karl_Meinz_Gen._Co.doc.exe WINWORD.EXE PID 3548 wrote to memory of 780 3548 PO_97309373_Karl_Meinz_Gen._Co.doc.exe WINWORD.EXE PID 3548 wrote to memory of 2732 3548 PO_97309373_Karl_Meinz_Gen._Co.doc.exe umsmr.com PID 3548 wrote to memory of 2732 3548 PO_97309373_Karl_Meinz_Gen._Co.doc.exe umsmr.com PID 3548 wrote to memory of 2732 3548 PO_97309373_Karl_Meinz_Gen._Co.doc.exe umsmr.com PID 2732 wrote to memory of 2464 2732 umsmr.com umsmr.com PID 2732 wrote to memory of 2464 2732 umsmr.com umsmr.com PID 2732 wrote to memory of 2464 2732 umsmr.com umsmr.com PID 2464 wrote to memory of 3700 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 3700 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 3700 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4116 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4116 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4116 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 5100 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 5100 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 5100 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 1964 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 1964 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 1964 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4656 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4656 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4656 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4764 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4764 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4764 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4016 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4016 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 4016 2464 umsmr.com mshta.exe PID 2464 wrote to memory of 3476 2464 umsmr.com cmd.exe PID 2464 wrote to memory of 3476 2464 umsmr.com cmd.exe PID 2464 wrote to memory of 3476 2464 umsmr.com cmd.exe PID 3476 wrote to memory of 5064 3476 cmd.exe taskkill.exe PID 3476 wrote to memory of 5064 3476 cmd.exe taskkill.exe PID 3476 wrote to memory of 5064 3476 cmd.exe taskkill.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe PID 2464 wrote to memory of 5036 2464 umsmr.com RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe"C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com"C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com" ccsiv.hsw2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comC:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com C:\Users\Admin\AppData\Roaming\nvmvk\PRVFH3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM mshta.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nvmvk\PRVFHFilesize
117KB
MD526b4a17150fd293003f10de5e27585b8
SHA159a4e7426526b0a18158b4163eed8e2d5a2561d6
SHA256082b41f71cc5a5118e1f70f49e059763d48fc072e7fc28f8efb11076537461f3
SHA512231ae48c34ae97d14b0205ee7dcf7c04cb37f222647a8e5c449d230a538c92be10d1783bb398b0e28e845de6b5eb4060ade962927f7aa92dca18edeb4cc6723f
-
C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.docFilesize
47KB
MD590e6379ae7b00aa812a1416222791530
SHA1a5709b5e55bcdfe2c0dad1a9cc1e6a3696123023
SHA2568b5779bce8aeaed0cadb20c814d79279ab91363bcfc1fbbd59ab888fdad12a39
SHA512d4bd9a430ea0a36e20312c1326f672e6f46f7b209ee322459466a70079d140be3340250ce860d3124cd6522fca4eeb9aff055a704198371b7d171cc83f96db0d
-
C:\Users\Admin\AppData\Roaming\nvmvk\YMQGIXFilesize
33KB
MD5b7869e01ac4bf487efc16c4d7ea50cef
SHA1f242def3b2400b0feead481fc4977eaa3a0edcb6
SHA256d0400ed0c3590e325b056fbf6a1b718fbcc5c644db59bcab56bc490ae84a0fa5
SHA5128b525ee668195047b14709dc8259c05f53fb6bc6e0c8092e8be44c2e029006bc15165ea15ce5bc5886d4520a99f32b53b10035d125fffa632311dee88c020c9b
-
C:\Users\Admin\AppData\Roaming\nvmvk\ccsiv.hswFilesize
115KB
MD5f0b969dad556c428a35c962d73682ccf
SHA1d7f3eff148925c54354c06324fbdc0ca2b363a09
SHA2563bc5b85f3700606a8b5b3dfdb17f7774936258c3df4b8f8800eed18b14568c80
SHA5126cb6c2ca2cb62e8ae1d614f65eb2b4f4c1a7426fed418a8c91dc246b8a08ed8c596ad6bcc4e0c3bc8ca075c09906f2c56ee2e5970a5595c39f9fdc90f6226f38
-
C:\Users\Admin\AppData\Roaming\nvmvk\nogsm.uxoFilesize
117KB
MD5c494b12717cf1b923cee39393db9d01e
SHA121e81e970c91801231d90a4f5cbfadd1429b7856
SHA2562815cce3c1d7d3383ec24eb89878487f9c8e482216cf4fd508c338269fd20519
SHA51255d058d212ee64e1971bd7912276973ae6703afca4c1c732f6e98a979b5f8b3c6cc354b30c5f0f4e4be0b71285123cd195f7cf6855abaab2f448a7cf352c9733
-
C:\Users\Admin\AppData\Roaming\nvmvk\uguhiFilesize
68KB
MD5b5f6ead0902f100c40ad5fd8ecfc7729
SHA1a4b4b7b7018587f495b43f289beec0e5a08ec2eb
SHA25670d7270b6b3dbd922ffcf6296b5c90a3276bebe902b7eca3b29aaa84a5397dd0
SHA5121779c93c6a80270cab4a884ca4c2d5cd72461b0e5e774ee807a040d00deca9bb4c08de6da6eb6d6d422527ec62d6e450700021da309f72ceb656f23f449ce138
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.comFilesize
732KB
MD56cf9a0d989715773d49d5ff3ad601db3
SHA1ecd328e049e23c9a826505335c0e2b9f64e7ec5e
SHA2560984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349
SHA5126043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343
-
memory/780-148-0x00007FFEAA8E0000-0x00007FFEAA8F0000-memory.dmpFilesize
64KB
-
memory/780-143-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmpFilesize
64KB
-
memory/780-144-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmpFilesize
64KB
-
memory/780-145-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmpFilesize
64KB
-
memory/780-146-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmpFilesize
64KB
-
memory/780-142-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmpFilesize
64KB
-
memory/780-132-0x0000000000000000-mapping.dmp
-
memory/780-150-0x00007FFEAA8E0000-0x00007FFEAA8F0000-memory.dmpFilesize
64KB
-
memory/1964-152-0x0000000000000000-mapping.dmp
-
memory/2464-139-0x0000000000000000-mapping.dmp
-
memory/2732-133-0x0000000000000000-mapping.dmp
-
memory/3476-156-0x0000000000000000-mapping.dmp
-
memory/3700-147-0x0000000000000000-mapping.dmp
-
memory/4016-155-0x0000000000000000-mapping.dmp
-
memory/4116-149-0x0000000000000000-mapping.dmp
-
memory/4656-153-0x0000000000000000-mapping.dmp
-
memory/4764-154-0x0000000000000000-mapping.dmp
-
memory/5036-159-0x0000000000000000-mapping.dmp
-
memory/5036-160-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5036-162-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5036-163-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/5064-157-0x0000000000000000-mapping.dmp
-
memory/5100-151-0x0000000000000000-mapping.dmp