80c446dfa63ca5f562c5dc2fb279971adb71a46d931c7f80b90e6d253d892e50

General

Target

ab219bb0d8ea0014d211401830c31835.exe
Size

2.0MB
MD5

ab219bb0d8ea0014d211401830c31835
SHA1

6dccb173b1dfb1337c420b9680472386a0d4524c
SHA256

80c446dfa63ca5f562c5dc2fb279971adb71a46d931c7f80b90e6d253d892e50
SHA512

71e5d5a277669a38bb55a3954e97059fbd93406ab17a08c8503ba9602aea72d30bbf40c6c6338d48133f76f1c31b8ddf7999a517c159387c32d37dd212a8bfe0
SSDEEP

49152:OFUcx88PWPOpX0SFZptwsDoYu/VfS69kx0e2VgSByGc:O+K88uPCHfpqsK/BS6Sx8LByGc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	3374.tmp

Executes dropped EXE 1 IoCs

pid	Process
4596	3374.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	3374.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1244	WINWORD.EXE
1244	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4596	3374.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE
1244	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4596	1460	ab219bb0d8ea0014d211401830c31835.exe	92
PID 1460 wrote to memory of 4596	1460	ab219bb0d8ea0014d211401830c31835.exe	92
PID 1460 wrote to memory of 4596	1460	ab219bb0d8ea0014d211401830c31835.exe	92
PID 4596 wrote to memory of 1244	4596	3374.tmp	94
PID 4596 wrote to memory of 1244	4596	3374.tmp	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab219bb0d8ea0014d211401830c31835.exe
"C:\Users\Admin\AppData\Local\Temp\ab219bb0d8ea0014d211401830c31835.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\3374.tmp
  "C:\Users\Admin\AppData\Local\Temp\3374.tmp" --splashC:\Users\Admin\AppData\Local\Temp\ab219bb0d8ea0014d211401830c31835.exe 5C9C393F104E1D0AC23CB9F5F97E17712E894A8FCFCEC38561F9E0012210726C26D03BFA8DEF239F6F861B3F835DC964E0D301C2D7B218E916E69446ABFFE2A1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ab219bb0d8ea0014d211401830c31835.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3374.tmp

Filesize
2.0MB

MD5
ab94a25b7c25d4ea3da2fcc38c59cebe

SHA1
c811796a9e48d21e744bb0d242b282ddf074fcca

SHA256
50484e4791d51be06f1944883dd247de4b6108b683cb1ff65870930008858614

SHA512
11288a9b39a811893ed903b40ffa91f103abbcf4477561d5b2b49d40288d928fd055bbb492adebfac07193309afed0f261330d27a2a7d2be6e8b37be2b07ec88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab219bb0d8ea0014d211401830c31835.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
memory/1244-21-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-34-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-11-0x00007FFAC83D0000-0x00007FFAC83E0000-memory.dmp

Filesize
64KB

Download
memory/1244-12-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-13-0x00007FFAC83D0000-0x00007FFAC83E0000-memory.dmp

Filesize
64KB

Download
memory/1244-15-0x00007FFAC83D0000-0x00007FFAC83E0000-memory.dmp

Filesize
64KB

Download
memory/1244-14-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-17-0x00007FFAC83D0000-0x00007FFAC83E0000-memory.dmp

Filesize
64KB

Download
memory/1244-16-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-18-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-19-0x00007FFAC83D0000-0x00007FFAC83E0000-memory.dmp

Filesize
64KB

Download
memory/1244-20-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-44-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-43-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-27-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-25-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-26-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-23-0x00007FFAC5FF0000-0x00007FFAC6000000-memory.dmp

Filesize
64KB

Download
memory/1244-24-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-28-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-29-0x00007FFAC5FF0000-0x00007FFAC6000000-memory.dmp

Filesize
64KB

Download
memory/1244-30-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-31-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-32-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-33-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1244-22-0x00007FFB08350000-0x00007FFB08545000-memory.dmp

Filesize
2.0MB

Download
memory/1460-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/4596-5-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads