867912868ef71d5781305e61762d25b59f98b23d6a781a0e75be2705d30a3163

General

Target

新建文件夹/翟星天简历.docx.lnk
Size

39KB
MD5

22acae755096d085bc6f2b252523cc3b
SHA1

53b8e7c251cff125fd046281b9d106ca3021cefc
SHA256

7bb6dd81a44e6acb125ec9fb483c0c65cad01869f5a282bc61e6df81fe1f4553
SHA512

b1ae3c2e13c52ea15a559393778a020a1174b48d446d25aca65d4a97522716c6a81713ad40d88e9df922f308a45bf9a7c3b2f67b9884458a5bcb0aa5c374aefc
SSDEEP

768:dguiWbvcF7K/ccy7/zjo61M39TiFww6oLVRELZqKsmsWXpo47:eRWzclCcP/Js9RoLVEZrnp77

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	3428	WerFault.exe	88

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	wsc_proxy.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5116	WINWORD.EXE
5116	WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE
5116	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 456	2112	cmd.exe	86
PID 2112 wrote to memory of 456	2112	cmd.exe	86
PID 3780 wrote to memory of 3428	3780	explorer.exe	88
PID 3780 wrote to memory of 3428	3780	explorer.exe	88
PID 3428 wrote to memory of 5116	3428	wsc_proxy.exe	90
PID 3428 wrote to memory of 5116	3428	wsc_proxy.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\新建文件夹\翟星天简历.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" ".\__MACOSX\wsc_proxy.exe"
  2⤵
  PID:456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Local\Temp\新建文件夹\__MACOSX\wsc_proxy.exe
  "C:\Users\Admin\AppData\Local\Temp\新建文件夹\__MACOSX\wsc_proxy.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\Documents\µÔÐÇÌì¼òÀú.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:5116
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3428 -s 1096
    3⤵
    - Program crash
    PID:2256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3428 -ip 3428
1⤵
PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
4KB

MD5
79a35fdceae1ca96ef4b5bd9803e1a3a

SHA1
4aacdb22e50b997f01cdf13a42af0d2325a9fb69

SHA256
c1a0713b1ac134df748c0d56b580ff9aa897f2dad5337a72696b6179175cffc3

SHA512
e9b118f12f9004f974a19539716d87cd1d4ac0442f5a0faa88d8872197201b46c63cdfaad28f9348772587ee1c77dbe68dac6f29a316e07d84012f8f4089ebc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c7255cd100f370e6859003b1cd7117b8

SHA1
f58cea5e33dfb69e9fcf1ff3a7bdada05dfeb042

SHA256
059eed42b27f04bdc0c41e35371ed9ec6204a52624dcf35e161ad2d32a523266

SHA512
53eb4de18d601beee0744ca8099ee94af9462893b2114c119ca632d2dec67c474bd4feba86a22777d09663710d784e31b4585f1a91dcf09a9fcaf0f134cf1956

Download Submit
C:\Users\Public\Documents\µÔÐÇÌì¼òÀú.docx

Filesize
261KB

MD5
ffbb79159833b90fab85edda85c3db28

SHA1
c5fc1567acf8f437e3b1e8bb3dcf3dd31a07de11

SHA256
7e5813959f6b2c259aec742c746cfcd0af3783b903ed883b8e7b6d1881183f1e

SHA512
fa9807c6712d95e7a31daa4bb2ef5f87b76f696a2a0fa6210e8a7c8e4cfe8bc6f8693abae4f125296522e58b6b22bf76ff5f492f49a604f18d68cf6c2658e4bf

Download Submit
memory/5116-144-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-140-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-143-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-137-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-146-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-147-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-145-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-148-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-149-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-150-0x00007FF902AF0000-0x00007FF902B00000-memory.dmp

Filesize
64KB

Download
memory/5116-151-0x00007FF902AF0000-0x00007FF902B00000-memory.dmp

Filesize
64KB

Download
memory/5116-142-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-156-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-157-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-158-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-169-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-141-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-139-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-138-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-213-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-214-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-215-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-216-0x00007FF904F30000-0x00007FF904F40000-memory.dmp

Filesize
64KB

Download
memory/5116-217-0x00007FF944EB0000-0x00007FF9450A5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads