Overview

overview

10

Static

static

10

Document.doc.scr

windows7-x64

9

Document.doc.scr

windows10-2004-x64

9

Resubmissions

27-08-2024 11:34

240827-npnywazgjp 10

25-04-2024 15:35

240425-s1rw5aca8y 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.doc.scr

  • Size

    194KB

  • MD5

    ae811bd6440b425e6777f0ca001a9743

  • SHA1

    70902540ead269971e149eaff568fb17d04156af

  • SHA256

    86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498

  • SHA512

    3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e

  • SSDEEP

    3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (616) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
    "C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3628
    • C:\ProgramData\6850.tmp
      "C:\ProgramData\6850.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6850.tmp >> NUL
        3⤵
          PID:2532
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:552
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{3EB60AF5-B7F9-477A-9029-7E99B5713BDA}.xps" 133585329973390000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-4084619521-2220719027-1909462854-1000\CCCCCCCCCCC
        Filesize

        129B

        MD5

        2726f78eb4531e41a196ec9a38683a72

        SHA1

        e65746074460ad001370146a1bb27d5c7f8ea1a1

        SHA256

        8472758c931ae10eadec8c36a40380c664c639d108e568e1d95dad91e46f0763

        SHA512

        47d2c2071026de13cd256ad4cd18327cbc88f24183911ee309de1433622e762a85ca6350e6e8a44a3bae43247a03363bf29dcb6d3885eb9f53875bec5a265976

        Download Submit

      • C:\ProgramData\6850.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD
        Filesize

        194KB

        MD5

        892bede212bbaae35e828c324938fa54

        SHA1

        cc11ee1e84bdb92104cb2bd1d222596136716e9a

        SHA256

        4b7e08e799ef93af51e4a8343dd90ce072507f7547cfcd500b95df826a0a0f30

        SHA512

        2dba7d9c488e7e704a2457aa14a9a5ee900bd7fe1f9eabcbe15a9769213302f930fda7690b1af757d50a86b8bfd9a84761074ed04737ac1eced1214bd184cee5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{4B8A25E5-40BA-4C9E-94A2-8CD6A3474245}
        Filesize

        4KB

        MD5

        b9c8e5a9addea756d77f499a9be9c24d

        SHA1

        5207a1d0eefef29eec541a59e222f2cc31279ac4

        SHA256

        28a31b6e9a40e5909bd6d555c497d06b5e3fe9cdc10ffcf3915d739afdca22d5

        SHA512

        ac67497b617c87d6ad9035272e226ec9b6ab02af14dcd52e13c1308cbb73c19a11b292918cb344559ea1f556325be9e0c716362694b1152f70d4dbe51b9a83f7

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        621e9a5463337e81c3530846ba589f28

        SHA1

        2ddb9edd981388776bef9adefbf3ca8a6b9a9c4a

        SHA256

        99093feb5a5741dd07405a9e41002930923abef6cf70ce1f118fb51da8c8ad5f

        SHA512

        2d776dc9d03e9d487ccad66cc268caa73521d17b7d16bf8404ff30d513cc01d274f8b0adc5a39b59eb50008af9f778da74666f965d440534b13a57626a2e0505

        Download Submit

      • C:\kZd6jLIwz.README.txt
        Filesize

        449B

        MD5

        c2f46db865b0ba6ef8f9385cf458a56e

        SHA1

        0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

        SHA256

        c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

        SHA512

        9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-4084619521-2220719027-1909462854-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        b2925b63ba72ba6b20cacd5b18e27f76

        SHA1

        cce990dc15864ca353e0daf6dfe39a25cb27ad8d

        SHA256

        5b65c999bb378f3938831b41d969ec78561668de87942e583730c9d23e901b83

        SHA512

        1276cfa84d54124fcde2069e55f5467db85d02cffe99c14d76e1cee5505be4748ff58ac0273dc8b46947e661cf592f3824f934a067952c4eb61cae951eee45d1

        Download Submit

      • memory/1644-2811-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2819-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2807-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2808-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2810-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2809-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2871-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2872-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2869-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2816-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2870-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2818-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2868-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2867-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2820-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2822-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2821-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2806-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2823-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2824-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2826-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2825-0x00007FF92B790000-0x00007FF92B7A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2827-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2828-0x00007FF96DFF0000-0x00007FF96E1E5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1644-2777-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1644-2866-0x00007FF92E070000-0x00007FF92E080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1936-1-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1936-0-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2248-2812-0x000000007FE40000-0x000000007FE41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2248-2817-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2248-2815-0x000000007FE20000-0x000000007FE21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2248-2813-0x00000000023B0000-0x00000000023C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2248-2814-0x00000000023B0000-0x00000000023C0000-memory.dmp

        Filesize

        64KB

        Download