8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f

General

Target

c13a7c20e658b8c5f8e2958eaa94331e.exe
Size

2.0MB
MD5

c13a7c20e658b8c5f8e2958eaa94331e
SHA1

9ab3f9aba8a596fbc8fcfd43ef6f59a27476c57b
SHA256

8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f
SHA512

afc58c261fdee76fc47a91e7b93c345be60e0d3b224098568044808c5d8cc21e52fd6e931861ca27705a091b0fc5430988d3624447c72cc6540c30e9e4faee99
SSDEEP

49152:OFUcx88PWPOpX0SFEPCX/6bsqLZINvfhY+0l6YxTLyGc:O+K88uPCHuayQqu3hY+0l1LyGc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	4297.tmp

Executes dropped EXE 1 IoCs

pid	Process
3272	4297.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	4297.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3332	WINWORD.EXE
3332	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3272	4297.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3272	4044	c13a7c20e658b8c5f8e2958eaa94331e.exe	90
PID 4044 wrote to memory of 3272	4044	c13a7c20e658b8c5f8e2958eaa94331e.exe	90
PID 4044 wrote to memory of 3272	4044	c13a7c20e658b8c5f8e2958eaa94331e.exe	90
PID 3272 wrote to memory of 3332	3272	4297.tmp	94
PID 3272 wrote to memory of 3332	3272	4297.tmp	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe
"C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\4297.tmp
  "C:\Users\Admin\AppData\Local\Temp\4297.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe 52EFD26ECDD19FA0D1C85E027B16309AE7621B92E88CDCF74EA217DA31C6A5F40831732B40DB8E56BBB79B3C443351CC5B079F3C01145667E543B780919F76E3
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4297.tmp

Filesize
2.0MB

MD5
a09d2474910628e5f9387ffd5514547b

SHA1
ac72716e54d434c3f09f6ff1f00a48d6a0b41601

SHA256
d59e2d88a9fe1c219d4d87ae96b591fbdcce551076c28c65eb29c3444987c102

SHA512
70a1a1bd1594599981877df4e9a73e90573fbfbe5242401d8eef8cf4007134c0ca21eaa5c86176d462d22c5ad78a7f04c5aebefda50ab0cb46c1dd97b03ee5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
memory/3272-5-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/3332-19-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-21-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-12-0x00007FFEB0CF0000-0x00007FFEB0D00000-memory.dmp

Filesize
64KB

Download
memory/3332-13-0x00007FFEB0CF0000-0x00007FFEB0D00000-memory.dmp

Filesize
64KB

Download
memory/3332-14-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-16-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-15-0x00007FFEB0CF0000-0x00007FFEB0D00000-memory.dmp

Filesize
64KB

Download
memory/3332-17-0x00007FFEB0CF0000-0x00007FFEB0D00000-memory.dmp

Filesize
64KB

Download
memory/3332-18-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-45-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-20-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-11-0x00007FFEB0CF0000-0x00007FFEB0D00000-memory.dmp

Filesize
64KB

Download
memory/3332-22-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-23-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/3332-24-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-25-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-26-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-27-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-28-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-31-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-30-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/3332-29-0x00007FFEAEAB0000-0x00007FFEAEAC0000-memory.dmp

Filesize
64KB

Download
memory/3332-44-0x00007FFEF0C70000-0x00007FFEF0E65000-memory.dmp

Filesize
2.0MB

Download
memory/4044-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads