6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5

General

Target

6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
Size

223KB
MD5

325ef393cb894ec32c3e0496adb954f4
SHA1

3942bc68d6a5f292f396c79fef1aaf46a2413b45
SHA256

6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5
SHA512

f6f265673db1a31ef58bcec87d51b1ad7788e474ecd35fa8b95b7a3888a44911636ddaefe4461b5a6c916819f2300726367e6de4c2ddea55e33be69da1eab226
SSDEEP

3072:HbHZEXb+0peSIfzxvOkO+7uE8/SkPPADH4cl5KwoY1uFFpzZL1lY4/D3jsl1vjL6:7HZL/SIf7qJ/uHNW5K2DTslxjm

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\49379 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msaufxj.scr"	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

word.exeword.exe

pid process

2364 word.exe
212 word.exe

pid	process
2364	word.exe
212	word.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

word.exe

pid process

2364 word.exe
2364 word.exe

pid	process
2364	word.exe
2364	word.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

word.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	word.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	word.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

word.exe

description pid process target process

PID 2364 set thread context of 212 2364 word.exe word.exe
Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\PROGRA~3\LOCALS~1\Temp\msaufxj.scr svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2364 set thread context of 212	2364	word.exe	word.exe

description	ioc	process
File created	C:\PROGRA~3\LOCALS~1\Temp\msaufxj.scr	svchost.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\word.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2844 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

word.exe

pid process

212 word.exe
212 word.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

word.exe

pid process

212 word.exe
212 word.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

pid	process
212	word.exe
212	word.exe

pid	process
212	word.exe
212	word.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE
2844	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.execmd.exeword.exeword.exe

description	pid	process	target process
PID 4824 wrote to memory of 4308	4824	6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe	cmd.exe
PID 4824 wrote to memory of 4308	4824	6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe	cmd.exe
PID 4824 wrote to memory of 4308	4824	6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe	cmd.exe
PID 4308 wrote to memory of 2844	4308	cmd.exe	EXCEL.EXE
PID 4308 wrote to memory of 2844	4308	cmd.exe	EXCEL.EXE
PID 4308 wrote to memory of 2844	4308	cmd.exe	EXCEL.EXE
PID 4308 wrote to memory of 2364	4308	cmd.exe	word.exe
PID 4308 wrote to memory of 2364	4308	cmd.exe	word.exe
PID 4308 wrote to memory of 2364	4308	cmd.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 2364 wrote to memory of 212	2364	word.exe	word.exe
PID 212 wrote to memory of 332	212	word.exe	svchost.exe
PID 212 wrote to memory of 332	212	word.exe	svchost.exe
PID 212 wrote to memory of 332	212	word.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe
"C:\Users\Admin\AppData\Local\Temp\6489e1f7e50e644f0ebb8b9f6b1ca6e23bfa106d03ca5dcc319d1b18fb5970a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\7th.xlsx"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Users\Admin\AppData\Local\Temp\word.exe
word.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\word.exe
"C:\Users\Admin\AppData\Local\Temp\word.exe"
4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\svchost.exe
5⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
PID:332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7th.xlsx
Filesize
11KB

MD5
0d9e8698246eb3c0b7fba1678dabde11

SHA1
38629cac35d812cdcf14071dd84d2fa03922cdce

SHA256
13ee82153ffae33b033456400ae12695e6eecc19522772a698ff2bc4643a5883

SHA512
6e08b017e3f25969ca9a0d60353a208cca2e6d59035995d8e59522e46a9b701af7efd083d466642ca2192ddc77c9ee002cfb2435cbb086c4a0a06ca150d747bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE016.tmp\eVfrvsgtRS.dll
Filesize
100KB

MD5
06029cbcd32b74b637b1d40397a07e87

SHA1
6000cfb488739eb08bc349299c4dca62de979ad0

SHA256
d23e418da8580e89dba1f0d97b1fafbf577c45b6e4770c3db01ebe23f7217e69

SHA512
16540d2a8750108be78e082fcb3e5655e835c368a33626268134c552b17c0029529db476598913a7cd57974b7bb3501b0e7bad6a85a87fe9fe950f2d367ebdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE016.tmp\eVfrvsgtRS.dll
Filesize
100KB

MD5
06029cbcd32b74b637b1d40397a07e87

SHA1
6000cfb488739eb08bc349299c4dca62de979ad0

SHA256
d23e418da8580e89dba1f0d97b1fafbf577c45b6e4770c3db01ebe23f7217e69

SHA512
16540d2a8750108be78e082fcb3e5655e835c368a33626268134c552b17c0029529db476598913a7cd57974b7bb3501b0e7bad6a85a87fe9fe950f2d367ebdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat
Filesize
47B

MD5
2f6486d6900e095ecc69781650a235e6

SHA1
3ae9f70dea5b98df6d88e75f740a8d03fd94bae8

SHA256
cd3db5a55f22e093944f263a9f3c69e9ab916284b5cc6a056e7cd4d49b1b6cf6

SHA512
0778e37942fd9be2df528b158fea225d7c58ee324703d0ec57602f5c83162c674134136d5f30bc14b215eef2a84ad056d0e216dbc99dd65f8bf279de1df2037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.exe
Filesize
93KB

MD5
a138a8eabea1c2f19d75b9160294b42a

SHA1
beac1990d1f3c456d61a970b6a1552d980197618

SHA256
e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

SHA512
2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.exe
Filesize
93KB

MD5
a138a8eabea1c2f19d75b9160294b42a

SHA1
beac1990d1f3c456d61a970b6a1552d980197618

SHA256
e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

SHA512
2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.exe
Filesize
93KB

MD5
a138a8eabea1c2f19d75b9160294b42a

SHA1
beac1990d1f3c456d61a970b6a1552d980197618

SHA256
e6a1b7540e52601459a402fe4a6f06159e5a80a8ac48f77030070cd47fb83ab7

SHA512
2ed87bb3668abaf8b44a076707c52800429878d502ebc5e6f644af4da0e3549c438d363ac645db872474748a77118578b70f03352eae9298bdc91ef32a1c1fb1

Download Submit
memory/212-147-0x0000000000000000-mapping.dmp

Download
memory/212-148-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/332-155-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/332-150-0x0000000000000000-mapping.dmp

Download
memory/332-151-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/332-152-0x00000000002B0000-0x00000000002B5000-memory.dmp

Filesize
20KB

Download
memory/2364-136-0x0000000000000000-mapping.dmp

Download
memory/2364-141-0x0000000002FB0000-0x0000000002FD3000-memory.dmp

Filesize
140KB

Download
memory/2844-145-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

Filesize
64KB

Download
memory/2844-146-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

Filesize
64KB

Download
memory/2844-144-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

Filesize
64KB

Download
memory/2844-143-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

Filesize
64KB

Download
memory/2844-142-0x00007FFE78230000-0x00007FFE78240000-memory.dmp

Filesize
64KB

Download
memory/2844-153-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmp

Filesize
64KB

Download
memory/2844-154-0x00007FFE75E50000-0x00007FFE75E60000-memory.dmp

Filesize
64KB

Download
memory/2844-135-0x0000000000000000-mapping.dmp

Download
memory/4308-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads