Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
Resource
win10v2004-20220812-en
General
-
Target
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
-
Size
223KB
-
MD5
325ef393cb894ec32c3e0496adb954f4
-
SHA1
3942bc68d6a5f292f396c79fef1aaf46a2413b45
-
SHA256
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5
-
SHA512
f6f265673db1a31ef58bcec87d51b1ad7788e474ecd35fa8b95b7a3888a44911636ddaefe4461b5a6c916819f2300726367e6de4c2ddea55e33be69da1eab226
-
SSDEEP
3072:HbHZEXb+0peSIfzxvOkO+7uE8/SkPPADH4cl5KwoY1uFFpzZL1lY4/D3jsl1vjL6:7HZL/SIf7qJ/uHNW5K2DTslxjm
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\49379 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msaufxj.scr" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
word.exeword.exepid process 2364 word.exe 212 word.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
word.exepid process 2364 word.exe 2364 word.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
word.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum word.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 word.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
word.exedescription pid process target process PID 2364 set thread context of 212 2364 word.exe word.exe -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\PROGRA~3\LOCALS~1\Temp\msaufxj.scr svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\word.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2844 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
word.exepid process 212 word.exe 212 word.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
word.exepid process 212 word.exe 212 word.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE 2844 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.execmd.exeword.exeword.exedescription pid process target process PID 4824 wrote to memory of 4308 4824 6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe cmd.exe PID 4824 wrote to memory of 4308 4824 6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe cmd.exe PID 4824 wrote to memory of 4308 4824 6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe cmd.exe PID 4308 wrote to memory of 2844 4308 cmd.exe EXCEL.EXE PID 4308 wrote to memory of 2844 4308 cmd.exe EXCEL.EXE PID 4308 wrote to memory of 2844 4308 cmd.exe EXCEL.EXE PID 4308 wrote to memory of 2364 4308 cmd.exe word.exe PID 4308 wrote to memory of 2364 4308 cmd.exe word.exe PID 4308 wrote to memory of 2364 4308 cmd.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 2364 wrote to memory of 212 2364 word.exe word.exe PID 212 wrote to memory of 332 212 word.exe svchost.exe PID 212 wrote to memory of 332 212 word.exe svchost.exe PID 212 wrote to memory of 332 212 word.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe"C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7th.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\word.exeword.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7th.xlsxFilesize
11KB
MD50d9e8698246eb3c0b7fba1678dabde11
SHA138629cac35d812cdcf14071dd84d2fa03922cdce
SHA25613ee82153ffae33b033456400ae12695e6eecc19522772a698ff2bc4643a5883
SHA5126e08b017e3f25969ca9a0d60353a208cca2e6d59035995d8e59522e46a9b701af7efd083d466642ca2192ddc77c9ee002cfb2435cbb086c4a0a06ca150d747bb
-
C:\Users\Admin\AppData\Local\Temp\nsuE016.tmp\eVfrvsgtRS.dllFilesize
100KB
MD506029cbcd32b74b637b1d40397a07e87
SHA16000cfb488739eb08bc349299c4dca62de979ad0
SHA256d23e418da8580e89dba1f0d97b1fafbf577c45b6e4770c3db01ebe23f7217e69
SHA51216540d2a8750108be78e082fcb3e5655e835c368a33626268134c552b17c0029529db476598913a7cd57974b7bb3501b0e7bad6a85a87fe9fe950f2d367ebdcc
-
C:\Users\Admin\AppData\Local\Temp\nsuE016.tmp\eVfrvsgtRS.dllFilesize
100KB
MD506029cbcd32b74b637b1d40397a07e87
SHA16000cfb488739eb08bc349299c4dca62de979ad0
SHA256d23e418da8580e89dba1f0d97b1fafbf577c45b6e4770c3db01ebe23f7217e69
SHA51216540d2a8750108be78e082fcb3e5655e835c368a33626268134c552b17c0029529db476598913a7cd57974b7bb3501b0e7bad6a85a87fe9fe950f2d367ebdcc
-
C:\Users\Admin\AppData\Local\Temp\setup.batFilesize
47B
MD52f6486d6900e095ecc69781650a235e6
SHA13ae9f70dea5b98df6d88e75f740a8d03fd94bae8
SHA256cd3db5a55f22e093944f263a9f3c69e9ab916284b5cc6a056e7cd4d49b1b6cf6
SHA5120778e37942fd9be2df528b158fea225d7c58ee324703d0ec57602f5c83162c674134136d5f30bc14b215eef2a84ad056d0e216dbc99dd65f8bf279de1df2037b
-
C:\Users\Admin\AppData\Local\Temp\word.exeFilesize
93KB
MD5a138a8eabea1c2f19d75b9160294b42a
SHA1beac1990d1f3c456d61a970b6a1552d980197618
SHA256e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7
SHA5122ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1
-
C:\Users\Admin\AppData\Local\Temp\word.exeFilesize
93KB
MD5a138a8eabea1c2f19d75b9160294b42a
SHA1beac1990d1f3c456d61a970b6a1552d980197618
SHA256e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7
SHA5122ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1
-
C:\Users\Admin\AppData\Local\Temp\word.exeFilesize
93KB
MD5a138a8eabea1c2f19d75b9160294b42a
SHA1beac1990d1f3c456d61a970b6a1552d980197618
SHA256e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7
SHA5122ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1
-
memory/212-147-0x0000000000000000-mapping.dmp
-
memory/212-148-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/332-155-0x00000000002B0000-0x00000000002B5000-memory.dmpFilesize
20KB
-
memory/332-150-0x0000000000000000-mapping.dmp
-
memory/332-151-0x0000000000AE0000-0x0000000000AEE000-memory.dmpFilesize
56KB
-
memory/332-152-0x00000000002B0000-0x00000000002B5000-memory.dmpFilesize
20KB
-
memory/2364-136-0x0000000000000000-mapping.dmp
-
memory/2364-141-0x0000000002FB0000-0x0000000002FD3000-memory.dmpFilesize
140KB
-
memory/2844-145-0x00007FFE78230000-0x00007FFE78240000-memory.dmpFilesize
64KB
-
memory/2844-146-0x00007FFE78230000-0x00007FFE78240000-memory.dmpFilesize
64KB
-
memory/2844-144-0x00007FFE78230000-0x00007FFE78240000-memory.dmpFilesize
64KB
-
memory/2844-143-0x00007FFE78230000-0x00007FFE78240000-memory.dmpFilesize
64KB
-
memory/2844-142-0x00007FFE78230000-0x00007FFE78240000-memory.dmpFilesize
64KB
-
memory/2844-153-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmpFilesize
64KB
-
memory/2844-154-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmpFilesize
64KB
-
memory/2844-135-0x0000000000000000-mapping.dmp
-
memory/4308-132-0x0000000000000000-mapping.dmp