c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76

General

Target

c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe
Size

142KB
MD5

3bf328fb129d40fa55f05b2e7199e437
SHA1

470129ca944a909fafd38be73419167b8d218177
SHA256

c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76
SHA512

fe9a9f89f6c42f6b05d059d8c5da55c0df4190d38971069c1d73193b4490aeb378c9b3bd6e4b5bc9acbda472bfbfd9cd8da1057bdbdfa24dda2f9b617b0b9a02
SSDEEP

3072:6mi+/dgy5Ef8doutaZZYCajVJ4K4Ry9/77fzJ/zp1xk:6tSEf+oSaR6PERy9n7Bp1xk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3540	osk.exe
4616	WINWORD.EXE
1376	WINWORD.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1556-132-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0008000000022dff-137.dat	upx
behavioral2/files/0x0008000000022dff-138.dat	upx
behavioral2/memory/1556-142-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e06-144.dat	upx
behavioral2/files/0x0007000000022e06-145.dat	upx
behavioral2/memory/3540-146-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0006000000022e07-149.dat	upx
behavioral2/memory/4616-151-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e06-152.dat	upx
behavioral2/memory/4616-153-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1376-160-0x0000000011000000-0x000000001102F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	osk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINWORD.EXE

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\UnprotectMount.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3776	WINWORD.EXE
3776	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3540	osk.exe
3540	osk.exe
3540	osk.exe
3540	osk.exe
4616	WINWORD.EXE
4616	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe
3540	osk.exe
4616	WINWORD.EXE
1376	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE
3776	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3776	1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe	79
PID 1556 wrote to memory of 3776	1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe	79
PID 1556 wrote to memory of 3540	1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe	80
PID 1556 wrote to memory of 3540	1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe	80
PID 1556 wrote to memory of 3540	1556	c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe	80
PID 3540 wrote to memory of 4616	3540	osk.exe	81
PID 3540 wrote to memory of 4616	3540	osk.exe	81
PID 3540 wrote to memory of 4616	3540	osk.exe	81
PID 4616 wrote to memory of 1376	4616	WINWORD.EXE	82
PID 4616 wrote to memory of 1376	4616	WINWORD.EXE	82
PID 4616 wrote to memory of 1376	4616	WINWORD.EXE	82

C:\Users\Admin\AppData\Local\Temp\c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe
"C:\Users\Admin\AppData\Local\Temp\c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76 .doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3776
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\c56ce969c6152d4e1538e366fc94ff3c6439ee596187ee534770f5a19d39ef76 .doc

Filesize
90KB

MD5
109aacc61768b06908f65a038596130a

SHA1
ac1a53d3e86e69dc9a05b6861a5feaa36ee3bab0

SHA256
353f65a2aa5b635740c29d6b510f8f1f237a641ec9c5ebba9dbce9517e91fa47

SHA512
fb0b08afb958c56b595f87833e902b65f8370ecf28ba0928a4da5ae5aefc8eb4c09c19a128f5149c12272f994b4e97e5fa6452abdf87c0f972278e227799da3f

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
memory/1376-160-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1556-142-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1556-132-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/3540-146-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/3776-161-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-159-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-168-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-155-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-156-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-157-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-167-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-166-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/3776-162-0x00007FFE81370000-0x00007FFE81380000-memory.dmp

Filesize
64KB

Download
memory/3776-163-0x00007FFE81370000-0x00007FFE81380000-memory.dmp

Filesize
64KB

Download
memory/3776-165-0x00007FFE83C30000-0x00007FFE83C40000-memory.dmp

Filesize
64KB

Download
memory/4616-151-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/4616-153-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads