8706689ec31ef2a75ab0de3aebe9db832a60056d61d4e31920ef178f588728e1

Analysis

max time kernel
12s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2023, 02:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

4.6MB
MD5

9b2e08b8a536aed37146605ceb3e00fa
SHA1

35b26cfe9fd44fe59d3648709450a560865d0c3a
SHA256

8706689ec31ef2a75ab0de3aebe9db832a60056d61d4e31920ef178f588728e1
SHA512

93991cac77a835f51feb10be168a06d706fb638b194c9bcea6d4e02c815a652805dfa8f752ca1dbe2d4fc066ead665e665c99b7b3eda284e64e33b18b0ad2b5b
SSDEEP

98304:KuWdF4xLV/N7cwgNEK91WQ2P9DegbIcuT9myYw4T1Z9JzeT/xdFxTDE/H:KtF0Hcw3KqhVuTMZXTPc7E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 1 IoCs

pid	Process
1152	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	1.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE
4000	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1152	1508	1.exe	80
PID 1508 wrote to memory of 1152	1508	1.exe	80
PID 1508 wrote to memory of 4000	1508	1.exe	83
PID 1508 wrote to memory of 4000	1508	1.exe	83

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\programdata\svchost.exe
  "C:\programdata\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\programdata\cbc.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
7.5MB

MD5
072c17c997524c93dca9ec3e5208135d

SHA1
a4f11b92364e9739234448a88fa3f72307eb979c

SHA256
e172083641604ee9bf32e117f9c3ad61ad829ef1bcb91e17c9808ce70bf269be

SHA512
1e0a6b9d7793446934bc83270d2ed3760883c222a2721eb080013016459f1da2c8da651c15f79eeb9f1bea483c536d7a62182849aa6d3ba1f5d11c921aad5c9b

Download Submit
C:\programdata\cbc.docx

Filesize
34KB

MD5
3c7b3cc8e0ed6136a93b3291631d265d

SHA1
5e9e1de60d9b1bcb7bdafff58aaf162dbbd900f6

SHA256
5cb9080900f7efbe655fb8a78dce774b8def0ba5ae7b77ccbca081b797136ec4

SHA512
accfdb20eff9abc08c664269bf9e378811d8b5facec4c4c80daf73b5695978c60bc55a109a95d0822d00fa117073f564dc2008ec256dd311b454bba45ef13a3f

Download Submit
C:\programdata\svchost.exe

Filesize
7.5MB

MD5
072c17c997524c93dca9ec3e5208135d

SHA1
a4f11b92364e9739234448a88fa3f72307eb979c

SHA256
e172083641604ee9bf32e117f9c3ad61ad829ef1bcb91e17c9808ce70bf269be

SHA512
1e0a6b9d7793446934bc83270d2ed3760883c222a2721eb080013016459f1da2c8da651c15f79eeb9f1bea483c536d7a62182849aa6d3ba1f5d11c921aad5c9b

Download Submit
memory/4000-136-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4000-137-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4000-138-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4000-139-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4000-140-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/4000-141-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download
memory/4000-142-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads