fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add

General

Target

fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
Size

82KB
MD5

ae033e0a65c0faabeb3d35ec072d2961
SHA1

a6160f176a5f2bfee83a5f24b1e8dbc2c754392f
SHA256

fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add
SHA512

d47ece53e340e937ceb088477d653fd44fb47a6c952dc025b4b78ed939e210265b3a8b23ecccc68236355498c9aea6e38aa65a2791a9cf72f42abb4163483f19
SSDEEP

1536:6mi+xxdgF45E4h2Hnq8OFnouy8CBZVDYTwtaRdoYVJ42+Jy/:6mi+/dgy5Ef8doutaZZYCajVJ4VJy/

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1820	osk.exe
2316	WINWORD.EXE
1776	WINWORD.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-133-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x000a000000022de3-138.dat	upx
behavioral2/files/0x000a000000022de3-139.dat	upx
behavioral2/memory/5112-140-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1820-145-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1820-148-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-147.dat	upx
behavioral2/files/0x0008000000022df9-146.dat	upx
behavioral2/files/0x0009000000022e02-151.dat	upx
behavioral2/files/0x0008000000022df9-153.dat	upx
behavioral2/memory/2316-154-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/1776-161-0x0000000011000000-0x000000001102F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WINWORD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	osk.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\AssertTrace.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1820	osk.exe
1820	osk.exe
1820	osk.exe
1820	osk.exe
2316	WINWORD.EXE
2316	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
1820	osk.exe
2316	WINWORD.EXE
1776	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4848	5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe	84
PID 5112 wrote to memory of 4848	5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe	84
PID 5112 wrote to memory of 1820	5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe	85
PID 5112 wrote to memory of 1820	5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe	85
PID 5112 wrote to memory of 1820	5112	fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe	85
PID 1820 wrote to memory of 2316	1820	osk.exe	86
PID 1820 wrote to memory of 2316	1820	osk.exe	86
PID 1820 wrote to memory of 2316	1820	osk.exe	86
PID 2316 wrote to memory of 1776	2316	WINWORD.EXE	87
PID 2316 wrote to memory of 1776	2316	WINWORD.EXE	87
PID 2316 wrote to memory of 1776	2316	WINWORD.EXE	87

C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe
"C:\Users\Admin\AppData\Local\Temp\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add .doc" /o ""
  2⤵
  PID:4848
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\fb27b18155396ac866d22a6ea0c40bdad37e121b41285c422ad7a29698334add .doc

Filesize
26KB

MD5
98d2e1b1e786cefc381e7576dbac46f8

SHA1
8814708491d90b2e2788254a9bf38a163071d780

SHA256
1d5ddea2a2d81381bab9514567e8556fe8f6848505c8627b0bcdcfc49d24871e

SHA512
8e170c02ca257b77abec904d896bfede2c04d1dd25f5807379d3f4f5dc072ceeb3a5d2220c25ce9f2545bdbc21e6c2f19fe5f49fe8a8d922084127f841c52a5d

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
memory/1776-161-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1820-145-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/1820-148-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2316-154-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/4848-155-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

Filesize
64KB

Download
memory/4848-156-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

Filesize
64KB

Download
memory/4848-158-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

Filesize
64KB

Download
memory/4848-160-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

Filesize
64KB

Download
memory/4848-162-0x00007FFE28930000-0x00007FFE28940000-memory.dmp

Filesize
64KB

Download
memory/4848-163-0x00007FFE26440000-0x00007FFE26450000-memory.dmp

Filesize
64KB

Download
memory/5112-140-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/5112-133-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing