cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e

Analysis

max time kernel
193s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
Size

217KB
MD5

b4f5bfc0ab0cc3d6b7a6b9653784de56
SHA1

c5314c708dbcd5d2f76bdab8ea3848c2bc1777c9
SHA256

cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e
SHA512

f94b3d6f024e64fa8761a4db9dbb5c8d308752d487fb3f859ae5d22ef950ebf200787c9d491462248fedcbbd031b6c8d1c3c3c0415b0f13b2777a237b4d314e4
SSDEEP

3072:D1dlKwgj23+Oz05YoNozPTQydKKQR4KQS+2YkX4NX1enJ0fVTdCqBzIwPwR/3HFX:D1dlZro5yPTQyoKjh2Yn91285dFz1mH9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1596	WINWORD.EXE
1596	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1596	WINWORD.EXE
1596	WINWORD.EXE
1596	WINWORD.EXE
1596	WINWORD.EXE
1596	WINWORD.EXE
1596	WINWORD.EXE
1596	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1596	1268	cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe	83
PID 1268 wrote to memory of 1596	1268	cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe	83

C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
"C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Hmas.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hmas.doc

Filesize
109KB

MD5
38b3a3a2f3679d1f12dc76208aeef7d2

SHA1
eece72da5420c5ea8501a8273a0e1bd6fe59148b

SHA256
05b12df7e9ee980fcad3ce4b0dd8335578a458be4328ea895d1cb9247ee2ac30

SHA512
619870731a2a6bda44bf92bf035f1d8a5001fe7a6300b990a841dbedb1354487bba477c739dc7c82790ae81d0d0a6bb176f963df355b97ffebe5512c138ade72

Download Submit
memory/1596-134-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1596-136-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1596-135-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1596-137-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1596-138-0x00007FFD16230000-0x00007FFD16240000-memory.dmp

Filesize
64KB

Download
memory/1596-139-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

Filesize
64KB

Download
memory/1596-140-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads