Analysis
-
max time kernel
193s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
Resource
win10v2004-20221111-en
General
-
Target
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe
-
Size
217KB
-
MD5
b4f5bfc0ab0cc3d6b7a6b9653784de56
-
SHA1
c5314c708dbcd5d2f76bdab8ea3848c2bc1777c9
-
SHA256
cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e
-
SHA512
f94b3d6f024e64fa8761a4db9dbb5c8d308752d487fb3f859ae5d22ef950ebf200787c9d491462248fedcbbd031b6c8d1c3c3c0415b0f13b2777a237b4d314e4
-
SSDEEP
3072:D1dlKwgj23+Oz05YoNozPTQydKKQR4KQS+2YkX4NX1enJ0fVTdCqBzIwPwR/3HFX:D1dlZro5yPTQyoKjh2Yn91285dFz1mH9
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1596 WINWORD.EXE 1596 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1596 WINWORD.EXE 1596 WINWORD.EXE 1596 WINWORD.EXE 1596 WINWORD.EXE 1596 WINWORD.EXE 1596 WINWORD.EXE 1596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1268 wrote to memory of 1596 1268 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 83 PID 1268 wrote to memory of 1596 1268 cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"C:\Users\Admin\AppData\Local\Temp\cfbad8243044fa4e00f23ed44c24ee3ff50e5b01dcb7c483dbb6d71675236c9e.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Hmas.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1596
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD538b3a3a2f3679d1f12dc76208aeef7d2
SHA1eece72da5420c5ea8501a8273a0e1bd6fe59148b
SHA25605b12df7e9ee980fcad3ce4b0dd8335578a458be4328ea895d1cb9247ee2ac30
SHA512619870731a2a6bda44bf92bf035f1d8a5001fe7a6300b990a841dbedb1354487bba477c739dc7c82790ae81d0d0a6bb176f963df355b97ffebe5512c138ade72