c0b85a24980252ba554cb0747af56d6c3e8b8bdc159acbdb0915f5ee9ac90e29

General

Target

ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe
Size

347KB
MD5

555477e8c9c4003dad42488bff9130e0
SHA1

930f629846253fb7cc40072478942cc4cf81c50b
SHA256

6babfe7d1945253b43fefa09b85330c6a436ae0ee1cddd588923b5984696430d
SHA512

80e1621f56c1d314077f9c8ed5fc015952c7d0280f4b47449328fef637d89a84aee29f460f16c76ea0b0a2cb5a5552d02724504661d53349f2f97221b9df5334
SSDEEP

6144:5a9tGE4Kby8j2xdHlFbqxnGmD55arHH1wuae39FvBl+fQayZsMK:5a9tGEY8ixdHexnGuonwslba8sMK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4564	svcf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVC = "C:\\Windows\\debug\\WIA\\svcf.exe"	reg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\svcf.exe	cmd.exe
File created	C:\Windows\debug\WIA\svcs.exe	cmd.exe
File created	C:\Windows\debug\WIA\svcm.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2616	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4564	svcf.exe
4564	svcf.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4944	3996	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe	79
PID 3996 wrote to memory of 4944	3996	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe	79
PID 3996 wrote to memory of 4564	3996	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe	81
PID 3996 wrote to memory of 4564	3996	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe	81
PID 3996 wrote to memory of 4564	3996	ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe	81
PID 4564 wrote to memory of 2328	4564	svcf.exe	95
PID 4564 wrote to memory of 2328	4564	svcf.exe	95
PID 4564 wrote to memory of 2328	4564	svcf.exe	95
PID 2328 wrote to memory of 2616	2328	cmd.exe	97
PID 2328 wrote to memory of 2616	2328	cmd.exe	97
PID 2328 wrote to memory of 2616	2328	cmd.exe	97
PID 4564 wrote to memory of 1848	4564	svcf.exe	98
PID 4564 wrote to memory of 1848	4564	svcf.exe	98
PID 4564 wrote to memory of 1848	4564	svcf.exe	98
PID 4564 wrote to memory of 2768	4564	svcf.exe	100
PID 4564 wrote to memory of 2768	4564	svcf.exe	100
PID 4564 wrote to memory of 2768	4564	svcf.exe	100
PID 4564 wrote to memory of 4772	4564	svcf.exe	102
PID 4564 wrote to memory of 4772	4564	svcf.exe	102
PID 4564 wrote to memory of 4772	4564	svcf.exe	102

C:\Users\Admin\AppData\Local\Temp\ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe
"C:\Users\Admin\AppData\Local\Temp\ISPRoperationZarbeAzbPMNawazSharifShowedGrief.doc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Intel\logs\Inter Services Public Relations Pakistan - Copy.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Intel\logs\svcf.exe
  "C:\Intel\logs\svcf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v SVC /t REG_SZ /d "C:\Windows\debug\WIA\svcf.exe"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Drops file in Windows directory
    PID:4772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intel\logs\Inter Services Public Relations Pakistan - Copy.doc

Filesize
97KB

MD5
3948422505b9e8d8a649a4994038c63a

SHA1
a268d4d2f74a86ab7d8be4bbd665b0751ad76781

SHA256
1bd1b435bcc6c035a51b7721b58f66bce4648665413ec8b2e57ded45e313edc1

SHA512
f7626df3dd7d5291e50ff3e4fb944f444f5bcc702cd528f2c3ad867fb237c7c5e76955eb5f827b1eec8334f8a60a181f65cbd29e1736fb9d06632a3728937aaf

Download Submit
C:\Intel\logs\svcf.exe

Filesize
94KB

MD5
f2047c7a66bd4dd95af12dde01c0e31b

SHA1
1990fa48702c52688ce6da05b714a1b3e634db76

SHA256
a7a4e4ee893fa02b7c3eb808f1bd13782f267a1df35466bd10fc46f06d6ba9bb

SHA512
8932157acf60dabb54e9dbb205cd04fbba7e82a51f6fdc228e124b0d13627dc3a69ac49e2c20b034d81c56720210a35ae77a87ef815ce9beba5442227443d458

Download Submit
C:\Intel\logs\svcf.exe

Filesize
94KB

MD5
f2047c7a66bd4dd95af12dde01c0e31b

SHA1
1990fa48702c52688ce6da05b714a1b3e634db76

SHA256
a7a4e4ee893fa02b7c3eb808f1bd13782f267a1df35466bd10fc46f06d6ba9bb

SHA512
8932157acf60dabb54e9dbb205cd04fbba7e82a51f6fdc228e124b0d13627dc3a69ac49e2c20b034d81c56720210a35ae77a87ef815ce9beba5442227443d458

Download Submit
memory/4944-137-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-142-0x00007FFBA4B80000-0x00007FFBA4B90000-memory.dmp

Filesize
64KB

Download
memory/4944-141-0x00007FFBA4B80000-0x00007FFBA4B90000-memory.dmp

Filesize
64KB

Download
memory/4944-140-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-139-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-138-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-136-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-150-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-151-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-152-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download
memory/4944-153-0x00007FFBA7350000-0x00007FFBA7360000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads