d1e2dbb528852b1ba8b60ee65e0b8e68f6d586a25d097a9a18441e7113ea14be

General

Target

VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
Size

10KB
MD5

52adb8644330dcae514aefd34c017f32
SHA1

9583bd3b7577258189b966871a08a6a36d4a00eb
SHA256

d1e2dbb528852b1ba8b60ee65e0b8e68f6d586a25d097a9a18441e7113ea14be
SHA512

30be31902975b53cbafe8dd669bae89097a513a9be2dead31b9320d26556cefc9da6a034660cb8d0281e6a167c90b76c1c37d9a1f859252eb60123f464a34b89
SSDEEP

192:TL0AUNdaLixyaupSiP/VunlYJLLLTuCadvLvLvLvLvLvLvLvLvLvgQfP5cq7av:TL0AmdaLikV3hPLTuCadvLvLvLvLvLvy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1684 WINWORD.EXE
1684 WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE
1684	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

VIRUS USE ON VIRTUAL MACHINE ONLY!!.execmd.exenet.exe

description	pid	process	target process
PID 2368 wrote to memory of 2516	2368	VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe	cmd.exe
PID 2368 wrote to memory of 2516	2368	VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe	cmd.exe
PID 2516 wrote to memory of 3980	2516	cmd.exe	net.exe
PID 2516 wrote to memory of 3980	2516	cmd.exe	net.exe
PID 3980 wrote to memory of 5052	3980	net.exe	net1.exe
PID 3980 wrote to memory of 5052	3980	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe
"C:\Users\Admin\AppData\Local\Temp\VIRUS USE ON VIRTUAL MACHINE ONLY!!.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\net.exe
    net user Admin *
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin *
      4⤵
      PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3580

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
1KB

MD5
9f421a9cda41ae45c58c938b1c193c90

SHA1
e490ca3bcbf851bb2c74a811830996335b57b995

SHA256
6e81c22ca610fe5a6cf087fe8d1ecabb48d53e101d9f76d79cfb71a7251e206d

SHA512
1f7cbddfebe906aa310ff8f8bb5a7a02e7980f40b6d741b851e2a47b67bfbf657c7773085562bec6c2d592a79febe6ff649987fafb7fd65b4c0bb576e0b6abae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
224B

MD5
e66d36cbcfd69fdf8db6e5c649137ef1

SHA1
c1ce08cca33347fe58f95f78f61c31ac6501f511

SHA256
15376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4

SHA512
78a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
bdfbd6bc75c76d9a4851775bf400449c

SHA1
57d39ced07e7f95c0bfb208c03cdcf4da2d13c3f

SHA256
85c9186f8f13734fe4beb95b75fe064234fc1ce4e29e36a4d2e69796c9917314

SHA512
fe51357c990b36d9671def528544bce3cf731898f0b5651a074d3109de35ffdc3675587f68a3c6eb23232104e65e41741e25f7034a5a67ae289379632c6b0f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
272bc977e6d9cdb40548e60a3b55e544

SHA1
43fe2011323f644cc984fc0ab1fe5ed7ef571300

SHA256
1f48541a21b15f88cb8509799ea399323e40623e233f01cfeb4f9a9b21809cfd

SHA512
c54f3a13346d13fd4bd6df9af69a04fd2d0651de8a3d071a25e391f8fb277542b69ab1febe31675547d5a8b097756bcf071af6d7076db2a6b16bdd3557f4d23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of These.asd

Filesize
27KB

MD5
d71b77bc8dc29ed06a76db5e79aa39b2

SHA1
68ae771e9ec4df2918ca211b7b9cef5d70435cab

SHA256
4568839347fd2b0fffac2971d2a22749bba1527f4866f0fbafb3dc9af66a8931

SHA512
df1ee691f5181e8ee0985e219967f22a2ff4f9101bbd8a0a3a81256c8e0cb5094f953be407dca8b2f54b4187dd838d68817551609194230141e6496b9ed5e9cf

Download Submit
memory/1684-130-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-133-0x00007FFB7CBD0000-0x00007FFB7CBE0000-memory.dmp

Filesize
64KB

Download
memory/1684-134-0x00007FFB7CBD0000-0x00007FFB7CBE0000-memory.dmp

Filesize
64KB

Download
memory/1684-129-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-128-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-127-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-417-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-418-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-419-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/1684-420-0x00007FFB800E0000-0x00007FFB800F0000-memory.dmp

Filesize
64KB

Download
memory/2368-121-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads