9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223

General

Target

9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe
Size

139KB
MD5

6a5b3756d94eb031d2d0f17d8aa770c2
SHA1

ea01889c4f7b08847290646a05fed16be7de3ec0
SHA256

9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223
SHA512

43b30a67043b3471848b9958d72b495848ac6e5a3b28ac9d5b7455b5e3ce35508d7f5b28dbdc3b06f63122aae749a39defa8b3bc9ce9fd3b7b4c87c1f219628e
SSDEEP

3072:6mi+/dgy5Ef8doutaZZYCajVJ4pcUiqbHBchQfi:6tSEf+oSaR6PKcTcBchQf

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4644	osk.exe
3616	WINWORD.EXE
2040	WINWORD.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/644-134-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0007000000022e50-137.dat	upx
behavioral2/files/0x0007000000022e50-138.dat	upx
behavioral2/memory/644-139-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/4644-143-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0008000000022e58-146.dat	upx
behavioral2/files/0x0008000000022e58-145.dat	upx
behavioral2/memory/4644-147-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/files/0x0006000000022e59-150.dat	upx
behavioral2/files/0x0008000000022e58-157.dat	upx
behavioral2/memory/3616-158-0x0000000011000000-0x000000001102F000-memory.dmp	upx
behavioral2/memory/2040-161-0x0000000011000000-0x000000001102F000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	osk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WINWORD.EXE

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opened.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Recently.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	osk.exe
File opened for modification	C:\Windows\SysWOW64\WINWORD.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\WINWORD.EXE	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Files.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\These.enc	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	osk.exe
File opened for modification	C:\Windows\SysWOW64\Com\ctfmoon.exe	WINWORD.EXE
File opened for modification	C:\Windows\SysWOW64\Are.enc	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4560	WINWORD.EXE
4560	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4644	osk.exe
4644	osk.exe
4644	osk.exe
4644	osk.exe
3616	WINWORD.EXE
3616	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe
4644	osk.exe
3616	WINWORD.EXE
2040	WINWORD.EXE
4560	WINWORD.EXE
4560	WINWORD.EXE
4560	WINWORD.EXE
4560	WINWORD.EXE
4560	WINWORD.EXE
4560	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4560	644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe	82
PID 644 wrote to memory of 4560	644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe	82
PID 644 wrote to memory of 4644	644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe	83
PID 644 wrote to memory of 4644	644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe	83
PID 644 wrote to memory of 4644	644	9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe	83
PID 4644 wrote to memory of 3616	4644	osk.exe	84
PID 4644 wrote to memory of 3616	4644	osk.exe	84
PID 4644 wrote to memory of 3616	4644	osk.exe	84
PID 3616 wrote to memory of 2040	3616	WINWORD.EXE	85
PID 3616 wrote to memory of 2040	3616	WINWORD.EXE	85
PID 3616 wrote to memory of 2040	3616	WINWORD.EXE	85

C:\Users\Admin\AppData\Local\Temp\9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe
"C:\Users\Admin\AppData\Local\Temp\9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\_$Cf\9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223 .doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4560
- C:\Windows\Temp\_$Cf\osk.exe
  "C:\Windows\Temp\_$Cf\osk.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\WINWORD.EXE
    "C:\Windows\system32\WINWORD.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\WINWORD.EXE
      "C:\Windows\system32\WINWORD.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Com\ctfmoon.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\SysWOW64\WINWORD.EXE

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\9d29526dc58a2a2fd8a8a2769ca6a4ebd6861abbecb2d8d50745f0563cce5223 .doc

Filesize
118KB

MD5
4e9b69cecff4ca8e53137add4071ad5b

SHA1
51ba5a8ec1125ad1a726121a0977f3980e740cab

SHA256
9fbf56cd714f26aeba25c9896e1d668c28465b806e0dd298dbea4429098f5931

SHA512
e47c7f8333f958fef019bc56a3663e0879e1509b82c06d71243cb5d41032bdb462da6962848f9137e4cbeaa6bc84ad37377a7da053f0b1786f35576d52b38b70

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
C:\Windows\Temp\_$Cf\osk.exe

Filesize
74KB

MD5
862a96836fe55f230039047fc1897b6f

SHA1
56a56c039d90714cefe7d2e7bb02e13c2b04764c

SHA256
0044b6448afbf8cce1057d5226b4baf27708656d9245f06dc9408956ced0cb21

SHA512
d6e77acb572339746797cfb9fd62b90fbcef4590f47eba5db538e97f7535326266b8146e120983d35a0978298083ffae90714ce119ef9c456b428374d288d574

Download Submit
memory/644-139-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/644-134-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/2040-161-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/3616-158-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/4560-152-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-163-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download
memory/4560-153-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-154-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-155-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-168-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-167-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-166-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-162-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download
memory/4560-151-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4560-165-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4644-143-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download
memory/4644-147-0x0000000011000000-0x000000001102F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads