d37779e16a92da7bd05eae50c64b36e2e2022eb441382be686fda4dbd1800e90

General

Target

calc.cmd
Size

1KB
MD5

d457ed0b51ba58273b024d449387f162
SHA1

60bf619ed079ca310a5c426d2d7ce52c5d879647
SHA256

595590fdfa9618b7f7aab5b8795f9336d71c8918f60aa88dce5d4b07c7071a5a
SHA512

3996849f9ca799be6d42c41ae9634e7b282fccf4a366756015e5f16b0e76c941189fd65776ef9bdf51b6faa3536bb4f0d27ec09552dd5a02834ed214d3beffcf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4920	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2380	taskkill.exe
4312	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2132	4240	cmd.exe	88
PID 4240 wrote to memory of 2132	4240	cmd.exe	88
PID 2132 wrote to memory of 3620	2132	WScript.exe	90
PID 2132 wrote to memory of 3620	2132	WScript.exe	90
PID 4240 wrote to memory of 4748	4240	cmd.exe	92
PID 4240 wrote to memory of 4748	4240	cmd.exe	92
PID 3620 wrote to memory of 4960	3620	cmd.exe	93
PID 3620 wrote to memory of 4960	3620	cmd.exe	93
PID 3620 wrote to memory of 4920	3620	cmd.exe	94
PID 3620 wrote to memory of 4920	3620	cmd.exe	94
PID 4240 wrote to memory of 3028	4240	cmd.exe	95
PID 4240 wrote to memory of 3028	4240	cmd.exe	95
PID 4240 wrote to memory of 2380	4240	cmd.exe	98
PID 4240 wrote to memory of 2380	4240	cmd.exe	98
PID 3620 wrote to memory of 4312	3620	cmd.exe	105
PID 3620 wrote to memory of 4312	3620	cmd.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4748	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\calc.cmd"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4960
  - - C:\Windows\system32\timeout.exe
      timeout 300
      4⤵
      Delays execution with timeout.exe
      PID:4920
  - - C:\Windows\system32\taskkill.exe
      taskkill /im msedge.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- C:\Windows\system32\attrib.exe
  attrib -h -r /s
  2⤵
  - Views/modifies file attributes
  PID:4748
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\war.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM "war .EXE"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat

Filesize
574B

MD5
1c28e4650b89c53b1bfbaa681df69b6e

SHA1
4a35b98da5127ee907cd861089a67ee921f001d9

SHA256
f772458b163fdf1a1a22fceedfa822174f7ba622e71347473bf543ee617c9150

SHA512
85483b4f8b274d1b3f498aa94b51b5d1cd3b4644d3d1e43c22d74b496fbaf98d25c694888d7e72f498031f22f8c44c82377a6b3fdc5bca8c6f895172d532d3d0

Download Submit
C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs

Filesize
130B

MD5
9db9550d272e9aeac7d7f4e0e4992e49

SHA1
a64f1d2de1105a1c231db36e35b5aa49b5d4a67f

SHA256
dea3e44a690518ac8661d541ce6420ad62c0675ff1f048f96d3914238c05729f

SHA512
fa6c0564cad085039a58f646ec26ea2a7e577e833ece5219b5e62ccb1effab013bf690fbe6fc032a3e55e7525cffe1476b607b173a5636f3ad27cb8891252318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3028-22-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-84-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-23-0x00007FFD1B1F0000-0x00007FFD1B200000-memory.dmp

Filesize
64KB

Download
memory/3028-8-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-12-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-14-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-13-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-15-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-16-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-17-0x00007FFD1B1F0000-0x00007FFD1B200000-memory.dmp

Filesize
64KB

Download
memory/3028-18-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-19-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-21-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-11-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-9-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-24-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-10-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-25-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-26-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-27-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-28-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-29-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-30-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-7-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-57-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-80-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-81-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-82-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-83-0x00007FFD1D850000-0x00007FFD1D860000-memory.dmp

Filesize
64KB

Download
memory/3028-85-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3028-20-0x00007FFD5D7D0000-0x00007FFD5D9C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads