d020a1c7f108b06f6539c5f49d869d527758188736a36ae91b7659051acd4793

Analysis

max time kernel
188s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_97309373_Karl_Meinz_Gen._Co.doc.exe
Size

791KB
MD5

ba51fb93aed8c9bb74990ab647dabd53
SHA1

d15c1724ea659527cfdeba0ec0c4a07a9cdba5a1
SHA256

214167e1feb613503ca6053634ac634f1f7acf688ba1b79534984e9c2cff2844
SHA512

352674fc850d821a71f7194caf8b74c80a8876deae008d98bb5f1884d0f5abfa16b0b8cf661378244e934961494823ca7290e1b5d4cf8bfd9248841a48399774
SSDEEP

24576:tt24wzbUct6DVLMmRzfDn3mes+W8lqLzaFmqj:JucJTJfbmesV6qLzaFmqj

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

umsmr.comumsmr.com

pid process

2732 umsmr.com
2464 umsmr.com

pid	process
2732	umsmr.com
2464	umsmr.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO_97309373_Karl_Meinz_Gen._Co.doc.exeumsmr.com

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PO_97309373_Karl_Meinz_Gen._Co.doc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	umsmr.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

umsmr.com

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	umsmr.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\umsmr.com C:\\Users\\Admin\\AppData\\Roaming\\nvmvk\\ccsiv.hsw"	umsmr.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

umsmr.com

description pid process target process

PID 2464 set thread context of 5036 2464 umsmr.com RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2464 set thread context of 5036	2464	umsmr.com	RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5064 taskkill.exe

pid	process
5064	taskkill.exe

Modifies registry class 1 IoCs

Processes:

PO_97309373_Karl_Meinz_Gen._Co.doc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	PO_97309373_Karl_Meinz_Gen._Co.doc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

780 WINWORD.EXE
780 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

umsmr.com

pid process

2464 umsmr.com
2464 umsmr.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 5064 taskkill.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

780 WINWORD.EXE
780 WINWORD.EXE
780 WINWORD.EXE

pid	process
780	WINWORD.EXE
780	WINWORD.EXE

pid	process
2464	umsmr.com
2464	umsmr.com

description	pid	process
Token: SeDebugPrivilege	5064	taskkill.exe

pid	process
780	WINWORD.EXE
780	WINWORD.EXE
780	WINWORD.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

PO_97309373_Karl_Meinz_Gen._Co.doc.exeumsmr.comumsmr.comcmd.exe

description	pid	process	target process
PID 3548 wrote to memory of 780	3548	PO_97309373_Karl_Meinz_Gen._Co.doc.exe	WINWORD.EXE
PID 3548 wrote to memory of 780	3548	PO_97309373_Karl_Meinz_Gen._Co.doc.exe	WINWORD.EXE
PID 3548 wrote to memory of 2732	3548	PO_97309373_Karl_Meinz_Gen._Co.doc.exe	umsmr.com
PID 3548 wrote to memory of 2732	3548	PO_97309373_Karl_Meinz_Gen._Co.doc.exe	umsmr.com
PID 3548 wrote to memory of 2732	3548	PO_97309373_Karl_Meinz_Gen._Co.doc.exe	umsmr.com
PID 2732 wrote to memory of 2464	2732	umsmr.com	umsmr.com
PID 2732 wrote to memory of 2464	2732	umsmr.com	umsmr.com
PID 2732 wrote to memory of 2464	2732	umsmr.com	umsmr.com
PID 2464 wrote to memory of 3700	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 3700	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 3700	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4116	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4116	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4116	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 5100	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 5100	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 5100	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 1964	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 1964	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 1964	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4656	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4656	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4656	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4764	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4764	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4764	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4016	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4016	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 4016	2464	umsmr.com	mshta.exe
PID 2464 wrote to memory of 3476	2464	umsmr.com	cmd.exe
PID 2464 wrote to memory of 3476	2464	umsmr.com	cmd.exe
PID 2464 wrote to memory of 3476	2464	umsmr.com	cmd.exe
PID 3476 wrote to memory of 5064	3476	cmd.exe	taskkill.exe
PID 3476 wrote to memory of 5064	3476	cmd.exe	taskkill.exe
PID 3476 wrote to memory of 5064	3476	cmd.exe	taskkill.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe
PID 2464 wrote to memory of 5036	2464	umsmr.com	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe
"C:\Users\Admin\AppData\Local\Temp\PO_97309373_Karl_Meinz_Gen._Co.doc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:780

C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
"C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com" ccsiv.hsw
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com C:\Users\Admin\AppData\Roaming\nvmvk\PRVFH
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:3700

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4116

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:5100

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1964

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4656

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4764

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Drops file in Windows directory
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nvmvk\PRVFH
Filesize
117KB

MD5
26b4a17150fd293003f10de5e27585b8

SHA1
59a4e7426526b0a18158b4163eed8e2d5a2561d6

SHA256
082b41f71cc5a5118e1f70f49e059763d48fc072e7fc28f8efb11076537461f3

SHA512
231ae48c34ae97d14b0205ee7dcf7c04cb37f222647a8e5c449d230a538c92be10d1783bb398b0e28e845de6b5eb4060ade962927f7aa92dca18edeb4cc6723f

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\Purchase order.doc
Filesize
47KB

MD5
90e6379ae7b00aa812a1416222791530

SHA1
a5709b5e55bcdfe2c0dad1a9cc1e6a3696123023

SHA256
8b5779bce8aeaed0cadb20c814d79279ab91363bcfc1fbbd59ab888fdad12a39

SHA512
d4bd9a430ea0a36e20312c1326f672e6f46f7b209ee322459466a70079d140be3340250ce860d3124cd6522fca4eeb9aff055a704198371b7d171cc83f96db0d

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\YMQGIX
Filesize
33KB

MD5
b7869e01ac4bf487efc16c4d7ea50cef

SHA1
f242def3b2400b0feead481fc4977eaa3a0edcb6

SHA256
d0400ed0c3590e325b056fbf6a1b718fbcc5c644db59bcab56bc490ae84a0fa5

SHA512
8b525ee668195047b14709dc8259c05f53fb6bc6e0c8092e8be44c2e029006bc15165ea15ce5bc5886d4520a99f32b53b10035d125fffa632311dee88c020c9b

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\ccsiv.hsw
Filesize
115KB

MD5
f0b969dad556c428a35c962d73682ccf

SHA1
d7f3eff148925c54354c06324fbdc0ca2b363a09

SHA256
3bc5b85f3700606a8b5b3dfdb17f7774936258c3df4b8f8800eed18b14568c80

SHA512
6cb6c2ca2cb62e8ae1d614f65eb2b4f4c1a7426fed418a8c91dc246b8a08ed8c596ad6bcc4e0c3bc8ca075c09906f2c56ee2e5970a5595c39f9fdc90f6226f38

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\nogsm.uxo
Filesize
117KB

MD5
c494b12717cf1b923cee39393db9d01e

SHA1
21e81e970c91801231d90a4f5cbfadd1429b7856

SHA256
2815cce3c1d7d3383ec24eb89878487f9c8e482216cf4fd508c338269fd20519

SHA512
55d058d212ee64e1971bd7912276973ae6703afca4c1c732f6e98a979b5f8b3c6cc354b30c5f0f4e4be0b71285123cd195f7cf6855abaab2f448a7cf352c9733

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\uguhi
Filesize
68KB

MD5
b5f6ead0902f100c40ad5fd8ecfc7729

SHA1
a4b4b7b7018587f495b43f289beec0e5a08ec2eb

SHA256
70d7270b6b3dbd922ffcf6296b5c90a3276bebe902b7eca3b29aaa84a5397dd0

SHA512
1779c93c6a80270cab4a884ca4c2d5cd72461b0e5e774ee807a040d00deca9bb4c08de6da6eb6d6d422527ec62d6e450700021da309f72ceb656f23f449ce138

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
C:\Users\Admin\AppData\Roaming\nvmvk\umsmr.com
Filesize
732KB

MD5
6cf9a0d989715773d49d5ff3ad601db3

SHA1
ecd328e049e23c9a826505335c0e2b9f64e7ec5e

SHA256
0984d3bc6ce07e701241aa785fa057e8bba7eb2503a5bef726a06a8bd2d2f349

SHA512
6043c05fb23cda3c831db65e080eea4f0e680eab5cd47c13d32cee777e3e877e1223d2b71d713db37d9b6c9111407cbb615fcec5fc3d63d14e82cec10ae83343

Download Submit
memory/780-148-0x00007FFEAA8E0000-0x00007FFEAA8F0000-memory.dmp

Filesize
64KB

Download
memory/780-143-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/780-144-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/780-145-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/780-146-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/780-142-0x00007FFEACFD0000-0x00007FFEACFE0000-memory.dmp

Filesize
64KB

Download
memory/780-132-0x0000000000000000-mapping.dmp

Download
memory/780-150-0x00007FFEAA8E0000-0x00007FFEAA8F0000-memory.dmp

Filesize
64KB

Download
memory/1964-152-0x0000000000000000-mapping.dmp

Download
memory/2464-139-0x0000000000000000-mapping.dmp

Download
memory/2732-133-0x0000000000000000-mapping.dmp

Download
memory/3476-156-0x0000000000000000-mapping.dmp

Download
memory/3700-147-0x0000000000000000-mapping.dmp

Download
memory/4016-155-0x0000000000000000-mapping.dmp

Download
memory/4116-149-0x0000000000000000-mapping.dmp

Download
memory/4656-153-0x0000000000000000-mapping.dmp

Download
memory/4764-154-0x0000000000000000-mapping.dmp

Download
memory/5036-159-0x0000000000000000-mapping.dmp

Download
memory/5036-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5036-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5064-157-0x0000000000000000-mapping.dmp

Download
memory/5100-151-0x0000000000000000-mapping.dmp

Download