bc6b7838aed0283638884fca8cc4fc3f1495b2b39bf1a2c9eb0a4868f9c38c79

General

Target

SOA.exe
Size

1.4MB
MD5

d35a0218361627d544d28334ca3c2cd7
SHA1

1de8ab2ada55056d0c1131c20671e167d854fdac
SHA256

bc6b7838aed0283638884fca8cc4fc3f1495b2b39bf1a2c9eb0a4868f9c38c79
SHA512

2acd1a573d5ca6b0a738d2e6ad2316f19a80f013ec0a7e205dcbd08b6bb852b5e7dda619e7cf515d2983294b4e7b18dc309dddd146bec65a1c087fa61667e76b
SSDEEP

24576:LAOcZXMuhlNU6mcQIM20GHr2nf4UsZzCJ45M4KnmdMLFspB6Q7Cj1:NEPWcQGFr84UsZn5QnmdMLE8Q7C1

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

kuumxwf.exekuumxwf.exe

pid process

1504 kuumxwf.exe
4704 kuumxwf.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exekuumxwf.exeWScript.exekuumxwf.exeSOA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	kuumxwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	kuumxwf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SOA.exe

Drops startup file 1 IoCs

Processes:

kuumxwf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk kuumxwf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	kuumxwf.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kuumxwf.exekuumxwf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	kuumxwf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\6_21 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\start.vbs"	kuumxwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\kuumxwf.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\EECHVT~1.DOC"	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\Update.vbs"	kuumxwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\kuumxwf.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\EECHVT~1.DOC"	kuumxwf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6_21\\Update.vbs"	kuumxwf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

Processes:

WScript.exekuumxwf.exeWScript.exeSOA.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	kuumxwf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SOA.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

kuumxwf.exekuumxwf.exe

pid	process
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
1504	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe
4704	kuumxwf.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

SOA.exeWScript.exekuumxwf.exeWScript.exekuumxwf.exe

description	pid	process	target process
PID 4540 wrote to memory of 3052	4540	SOA.exe	WScript.exe
PID 4540 wrote to memory of 3052	4540	SOA.exe	WScript.exe
PID 4540 wrote to memory of 3052	4540	SOA.exe	WScript.exe
PID 3052 wrote to memory of 1504	3052	WScript.exe	kuumxwf.exe
PID 3052 wrote to memory of 1504	3052	WScript.exe	kuumxwf.exe
PID 3052 wrote to memory of 1504	3052	WScript.exe	kuumxwf.exe
PID 1504 wrote to memory of 1080	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 1080	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 1080	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2812	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2812	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2812	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 4268	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 4268	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 4268	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2020	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2020	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 2020	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 456	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 456	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 456	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 5112	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 5112	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 5112	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 1388	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 1388	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 1388	1504	kuumxwf.exe	mshta.exe
PID 1504 wrote to memory of 512	1504	kuumxwf.exe	WScript.exe
PID 1504 wrote to memory of 512	1504	kuumxwf.exe	WScript.exe
PID 1504 wrote to memory of 512	1504	kuumxwf.exe	WScript.exe
PID 512 wrote to memory of 4704	512	WScript.exe	kuumxwf.exe
PID 512 wrote to memory of 4704	512	WScript.exe	kuumxwf.exe
PID 512 wrote to memory of 4704	512	WScript.exe	kuumxwf.exe
PID 4704 wrote to memory of 3440	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 3440	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 3440	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1320	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1320	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1320	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2344	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2344	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2344	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1016	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1016	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 1016	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2984	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2984	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 2984	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 4776	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 4776	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 4776	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 3756	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 3756	4704	kuumxwf.exe	mshta.exe
PID 4704 wrote to memory of 3756	4704	kuumxwf.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_21\mmpc.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
"C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe" eechvt.docx
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2812

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:4268

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2020

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:456

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:5112

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6_21\run.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
"C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe" EECHVT~1.DOC
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:3440

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:1320

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:2344

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:1016

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:2984

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:4776

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
6⤵
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_21\eechvt.docx
Filesize
103.4MB

MD5
78dd14bc52e6fc75715bfe92e0c6692a

SHA1
22d729a2f6404316a9543d33b30d5690b0e740cd

SHA256
d3fa88084c98e36019386de00ac6a79fbaad80bc882e1ec5514d9f96988bb8aa

SHA512
4ff7e1bd28835844197abd572d408ce1502f1e8b3fe3a47fb0c0b42508cf5dafc62d60b41fa2dedfa280e26b941e11ecaa2134f547249e6fbcb4e425e6eb12f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\kuumxwf.exe
Filesize
924KB

MD5
fd406d1474a8785eeadb0de62631867a

SHA1
9430597cfdd47f68ec3a88fb5c071b88832a4dc3

SHA256
cf42fd1e3fa71ddb1a49b36e78ec679241c2140b9dfbd2f4f2777323b5e4957e

SHA512
12eef0f96375f8d0e88dff249ac81e1b1251a9bdeefe865fb95d794013890b91f91d14522dd52298033c4ac21e3f29b2a8c4ea3239f22d6cef28b8f9a9165da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\muaeln.bmp
Filesize
80KB

MD5
0ca179fdcea0d5819c2e4e607a7a03b6

SHA1
6bb79be93dcea41e01d15befedfbb338b00c2152

SHA256
f686aa5f309a5f19f1e5f4841a3bb6961a0c62a947318887ef83518cb1d3589e

SHA512
a78da2276efca95882e09117c17205308dc276cdb0f0bbfef7e45d9658d963e6be20d4f93d70fee933c5f7dcaa2964cb5376f3dd645effd1648a5d74415df46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\muhlecj.bmr
Filesize
1004KB

MD5
d783b716a5bfce6f1b8e8689984676f4

SHA1
e04055ecc2e9f104c0723f25b859fe020fda245a

SHA256
c4a09c9e0f831a6b7aafac51d65188a54203ca4104dadec931adbd2bc523878f

SHA512
626f19d2de95a5981915a4e0a94d8b4516fcb947468df3287a29a05bec4682378031510506f49ac7db6fc8d11cae8676c624fa20fc3914f7783b2b24afabaa4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_21\run.vbs
Filesize
131B

MD5
f962fe7d84a2d5abb6aad89f15256a2a

SHA1
30346d453a430ee04988de312a7d1853a511f4b6

SHA256
951ec1b4f9eac064de86d431931fb368185e62e29092e69fcabf36b3f3c5e355

SHA512
34592ac7b9f42f8bcf18f82dd94208e90c04a98f85db683df036a649fc5e6a33c863b869762c9e63b9e2c8422290e3a8168cb7c5658ddc969dc622bf16ce54f3

Download Submit
C:\Users\Admin\AppData\Local\temp\6_21\mmpc.vbe
Filesize
52KB

MD5
b2152eebceb8d17d92fd80958abc4b3e

SHA1
704152bd1b4adacebe66a6d3c5d8f8d3b9417422

SHA256
06bdfcd261781865f13ab0fcc90d00ef3211b3957cd751339b984935fb0c6850

SHA512
b6386430f6bf4d1b995eac1ec269520d8943529297bcccbe1df33e865eaaacf9476979e18dde6d32ef95a9fdddc18c6cb856d0efb2ba048c9e9fad05e7ff2ec2

Download Submit
memory/456-143-0x0000000000000000-mapping.dmp

Download
memory/512-147-0x0000000000000000-mapping.dmp

Download
memory/1016-154-0x0000000000000000-mapping.dmp

Download
memory/1080-139-0x0000000000000000-mapping.dmp

Download
memory/1320-152-0x0000000000000000-mapping.dmp

Download
memory/1388-145-0x0000000000000000-mapping.dmp

Download
memory/1504-135-0x0000000000000000-mapping.dmp

Download
memory/2020-142-0x0000000000000000-mapping.dmp

Download
memory/2344-153-0x0000000000000000-mapping.dmp

Download
memory/2812-140-0x0000000000000000-mapping.dmp

Download
memory/2984-155-0x0000000000000000-mapping.dmp

Download
memory/3052-132-0x0000000000000000-mapping.dmp

Download
memory/3440-151-0x0000000000000000-mapping.dmp

Download
memory/3756-157-0x0000000000000000-mapping.dmp

Download
memory/4268-141-0x0000000000000000-mapping.dmp

Download
memory/4704-149-0x0000000000000000-mapping.dmp

Download
memory/4776-156-0x0000000000000000-mapping.dmp

Download
memory/5112-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads