835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4

Analysis

max time kernel
158s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe
Size

1.4MB
MD5

0567bfb2eef3409ab528c5ee0e59e4fe
SHA1

aacc14fe1d94ef9fb521c0bace66515d2c78b098
SHA256

835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4
SHA512

7ccb62504252754d9c701a8f7cb4a0aaa4049d99fa43fa62c91bbc361db165e7f6f3d78fbbc25bab6a064d799077d0544586e8efd544c376e7de7c819475de54
SSDEEP

24576:AIR+8WbmTKZ8TYlJQF3IR+8WbmTKZ+60UZX:AIiMYnQF3IifdZX

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\report.xls	office_macro_on_action

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4248 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

4248 EXCEL.EXE
4248 EXCEL.EXE
4248 EXCEL.EXE
4248 EXCEL.EXE
4248 EXCEL.EXE
4248 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

pid	process
4248	EXCEL.EXE

pid	process
4248	EXCEL.EXE
4248	EXCEL.EXE
4248	EXCEL.EXE
4248	EXCEL.EXE
4248	EXCEL.EXE
4248	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.execmd.exe

description	pid	process	target process
PID 4092 wrote to memory of 1048	4092	835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe	cmd.exe
PID 4092 wrote to memory of 1048	4092	835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe	cmd.exe
PID 4092 wrote to memory of 1048	4092	835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe	cmd.exe
PID 1048 wrote to memory of 4248	1048	cmd.exe	EXCEL.EXE
PID 1048 wrote to memory of 4248	1048	cmd.exe	EXCEL.EXE
PID 1048 wrote to memory of 4248	1048	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe
"C:\Users\Admin\AppData\Local\Temp\835954a8c5dfc1654c3f44a88d96a7ce3653c40448d68cf7772faf4ddb74b9d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auto.bat" "
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\report.xls"
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\auto.bat
Filesize
65B

MD5
1374ab899921c6fa847dcdaa9976905a

SHA1
fbf32f31948b3e0bc4cac0e3d7915bc0f0855476

SHA256
7e85dd5a2a806b1fef0e06fe737669e6f3b57f9eb841001edde3d120093f123e

SHA512
cb42f14061c0e6ea3e25c4a3cb6bebbd6b83536eca4be0f0550ed9c0b1c00479fb08e719024a5f01750cbc5f1dd2f5310ced9b01d26dddbb4efd37509db97d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\report.xls
Filesize
100KB

MD5
1aaa591fb54fd97b62ec5373fed21dac

SHA1
a40750ad1947e986c4c7cb3a2b7c1fba84fd1f8c

SHA256
0639502778b3cd3b19023c4d132c6ea2d2ad3e1bffb6aabea49ca5fe8632a63c

SHA512
95058f178b19881bfdc4a8c2bbbeb368162166ad423af8859eea2c1523f18a9ac9ba3da2bc6f3d3453275977d52ae727a3fae691f3a695f8ae1eab207236e35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\template.xls
Filesize
206KB

MD5
8d70652dee0ed44bdcfae158e66af6c8

SHA1
d18415a85a2a3881cd4b73397e9d498206212fa0

SHA256
3146bd0eb232eddfd617c13700e0340a9ef665f3ca82e96ed32fa063d5b43e0d

SHA512
e8b95417e91aadc5ac07f04db20b846ef9ce48719e0819172af5ce8477d648d570952cb0ad2b5e79c2a4edd661e3d9a8bc0750b21d4ead9f225cf2a0c728cd4d

Download Submit
memory/1048-132-0x0000000000000000-mapping.dmp

Download
memory/4248-135-0x0000000000000000-mapping.dmp

Download
memory/4248-137-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

Filesize
64KB

Download
memory/4248-138-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

Filesize
64KB

Download
memory/4248-139-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

Filesize
64KB

Download
memory/4248-140-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

Filesize
64KB

Download
memory/4248-141-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

Filesize
64KB

Download
memory/4248-142-0x00007FFD68B90000-0x00007FFD68BA0000-memory.dmp

Filesize
64KB

Download
memory/4248-143-0x00007FFD68B90000-0x00007FFD68BA0000-memory.dmp

Filesize
64KB

Download