Overview

overview

10

Static

static

10

Document.doc.scr.exe

windows7-x64

9

Document.doc.scr.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.doc.scr.exe

  • Size

    194KB

  • MD5

    6fd558cf3add096970e15d1e62ca1957

  • SHA1

    78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23

  • SHA256

    41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898

  • SHA512

    fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc

  • SSDEEP

    3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (563) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3016
    • C:\ProgramData\9F7D.tmp
      "C:\ProgramData\9F7D.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9F7D.tmp >> NUL
        3⤵
          PID:2068
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:668
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9E3596D3-69E5-49FB-AC98-985C3EEC534A}.xps" 133585858946920000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\UUUUUUUUUUU
        Filesize

        129B

        MD5

        a39a14679a8f0e92f5abdf09c29480e0

        SHA1

        5c17d1003661abecd54219b4b186edcc2da6f086

        SHA256

        23f2b9b59e402f6d9e6f9ddddc30fe9008dc74363aa8744658b9ca9c1db13d1e

        SHA512

        362c778c04bc30b8ec77cf7bcce7d2a9746a795db28bd19d69752033fbdc160a72f803741111a14b8977797afb26cb87a499b5e412c73a54c602bb39d83ff1c9

        Download Submit

      • C:\AAtvmKv4L.README.txt
        Filesize

        434B

        MD5

        b4709a56b9d7f431da172316cda720be

        SHA1

        d2132f7129a7003ec4c0392f0f08cd24ea353da6

        SHA256

        192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

        SHA512

        e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

        Download Submit

      • C:\ProgramData\9F7D.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDD
        Filesize

        194KB

        MD5

        c1ac6ac90b2f1f5c4f90a098181daf2f

        SHA1

        c1c01361c777c07e523ba5f4a08fa90f44b7c196

        SHA256

        b8127edc90983ab7b072a720c0e2c81856794302e34067331afd3ee2ca55c83c

        SHA512

        41d784002dd75a14e9b4b6585d388bd2f254cf548588133c94e3c864e4a0a3dff9ab8171b3d9b3d240c78192759a8cbc872954671f9e37cc5723b4701b88cbdb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{F66E7B38-8009-467F-B311-CA96D89C7C1D}
        Filesize

        4KB

        MD5

        6369a7bd52c29e4392ddc0e5f22108e1

        SHA1

        e691f6e10b4569230cd58acbc87f8858e8bc35d9

        SHA256

        e95bd7ecc4398505d18222ea227078ab3826d45983a3c544372e40d0ab0ec85b

        SHA512

        2e82ed53db6acc95df49c3d5849fa12d80f197699d2c634f5415414893a15e828ff88d2bc8ef9e6900c505b8679c25058b2f4d12936d077cdd9c39bef7baba12

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        be400980cfc80dc3de2ac8aacfda0688

        SHA1

        fbab8b2566eb51453f8364cf26a4f6f189fc766b

        SHA256

        b8154ff2439a0ee4a89f69e5b696430d2c0fd98f7cb6ea14701a8ebe2f4c0481

        SHA512

        4f1993918e2673ceb138e8ffc674bd44063d814d8a611efc44af2b34144a12e8d83d8ddd073ae9c33350e5c5ee99456736b079c80fbf18361a93914a891a8536

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        b93b46ea2a1e11d9d6b0e73e2de7b2f9

        SHA1

        7a260a6a45bb70b9866a35a1b530298ad790e973

        SHA256

        163bd8e21451f5c944b1890eaaee07f3b847c1da827716af8ca540883c8d23e6

        SHA512

        1d2a8a9d1f9c6da2aefa7ecd903a80aa55f02729cabbc70b85179bc04d42b7ef2141936e73906bbb9b5d29817993e1d59ce831fab306057692d47d407bf6d32e

        Download Submit

      • memory/1324-2790-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2761-0x00007FF968610000-0x00007FF968620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2758-0x00007FF968610000-0x00007FF968620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2754-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2756-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2755-0x00007FF968610000-0x00007FF968620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2752-0x00007FF968610000-0x00007FF968620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2826-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2750-0x00007FF968610000-0x00007FF968620000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2791-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2792-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2759-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2793-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2794-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2795-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2796-0x00007FF966280000-0x00007FF966290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2798-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2797-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2800-0x00007FF966280000-0x00007FF966290000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1324-2799-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1324-2825-0x00007FF9A8590000-0x00007FF9A8785000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3144-1-0x0000000003210000-0x0000000003220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3144-2-0x0000000003210000-0x0000000003220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3144-0-0x0000000003210000-0x0000000003220000-memory.dmp

        Filesize

        64KB

        Download