94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c

General

Target

94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe
Size

174KB
MD5

10e512359f7ae6285500f98014ce38db
SHA1

12afb186eeecb2fa6886ea1796859c0b290014e3
SHA256

94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c
SHA512

3f914d817fad5888a3187e0bbb5c0f1be67d73b199009946567ab08aaaa3f387b396589db3d2ecd93755231b14c20720c0ba82020bf7f44b5ba8c3f906c8d8fa
SSDEEP

3072:emi+/dgy5Ef8doutaZZYCajVJ4Af/0cgESnsxtoBqts6mc3YBOg:etSEf+oSaR6Pz3SH0qTwIMg

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1468	osk.exe
636	WINWORD.EXE
2908	WINWORD.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2268-134-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e39-137.dat	upx
behavioral2/memory/2268-139-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e39-138.dat	upx
behavioral2/files/0x0008000000022e3a-144.dat	upx
behavioral2/files/0x0008000000022e3a-145.dat	upx
behavioral2/memory/1468-146-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e3b-149.dat	upx
behavioral2/memory/636-150-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0008000000022e3a-152.dat	upx
behavioral2/memory/636-154-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/2908-156-0x0000000011000000-0x000000001102F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINWORD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	osk.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CopySet.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3920	WINWORD.EXE
3920	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1468	osk.exe
1468	osk.exe
1468	osk.exe
1468	osk.exe
636	WINWORD.EXE
636	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe
1468	osk.exe
636	WINWORD.EXE
2908	WINWORD.EXE
3920	WINWORD.EXE
3920	WINWORD.EXE
3920	WINWORD.EXE
3920	WINWORD.EXE
3920	WINWORD.EXE
3920	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3920	2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe	86
PID 2268 wrote to memory of 3920	2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe	86
PID 2268 wrote to memory of 1468	2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe	87
PID 2268 wrote to memory of 1468	2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe	87
PID 2268 wrote to memory of 1468	2268	94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe	87
PID 1468 wrote to memory of 636	1468	osk.exe	88
PID 1468 wrote to memory of 636	1468	osk.exe	88
PID 1468 wrote to memory of 636	1468	osk.exe	88
PID 636 wrote to memory of 2908	636	WINWORD.EXE	89
PID 636 wrote to memory of 2908	636	WINWORD.EXE	89
PID 636 wrote to memory of 2908	636	WINWORD.EXE	89

C:\Users\Admin\AppData\Local\Temp\94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe
"C:\Users\Admin\AppData\Local\Temp\94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c .doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3920
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
C:\Windows\Temp\_$Cf\94591a0ab58312a1f880fdc043fc55724006da184747d11d8bdb19ca8a94250c .doc

Filesize
184KB

MD5
58018b4876debda3126bb50883426199

SHA1
77ae9314f82653b7634c6d38f4e535dcedcd3c6e

SHA256
4a6123f982e6f4843d139d41585f9fba3de7c37b246e5d08a650143eecd63eee

SHA512
fa43d3d8769b0f2adacea6a2281bc23a43254101c35c08100da3652954494bf7557c5f6427e9866c81f380d6266e655f6e214698d020074606fde2e79e8306f3

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
7d633f03636375056501c9fbf6cc5684

SHA1
3694ce8ff18db978e4ae1d9187cba073d7315436

SHA256
3ec2dde7e8bc9341722a893a3ef8715c875cdc06bfb4064b9bff784c0ea72ad8

SHA512
7fca147e508a34db855b8aa01c5ed39c67065bcaa3bc40a27c7dc047a5377ed264c8f0e0eff3e0a887f6b7898bf20ddfaa128f92693d9250209157e19f78dd0b

Download Submit
memory/636-150-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/636-154-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1468-146-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2268-139-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2268-134-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2908-156-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/3920-158-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-157-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-159-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-160-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-161-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-162-0x00007FFCDBC60000-0x00007FFCDBC70000-memory.dmp

Filesize
64KB

Download
memory/3920-163-0x00007FFCDBC60000-0x00007FFCDBC70000-memory.dmp

Filesize
64KB

Download
memory/3920-165-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-167-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-166-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download
memory/3920-168-0x00007FFCDE2F0000-0x00007FFCDE300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads