Analysis
-
max time kernel
102s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
26-04-2024 07:15
General
-
Target
Document.doc.scr.exe
-
Size
194KB
-
MD5
407ea767aa26ae13f9ff20d0999c8dda
-
SHA1
07e615132ef78e827047ffc4cc6c9d44f5a976fd
-
SHA256
f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
-
SHA512
6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
-
SSDEEP
3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx
Malware Config
Signatures
-
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 2 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
C:\ProgramData\8B78.tmp"C:\ProgramData\8B78.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8B78.tmp >> NUL3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{07788479-03E5-4DD0-A8F9-DD3CE90C96DE}.xps" 1335858932055500002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD55c75d50b57598a6c45df295392780228
SHA17fc9244fab4e7d3ee62c4e81a0db9fc6196a0f59
SHA25626d59a101210ae0d50b46b56cee3282ab440602dd933b7b153c48bcf6a3e916d
SHA512e78c69b1feee8d6ab054b6b1d3ff5037ddac500b56c5c8fc60cc47061ad3499b67cddc9fb9d54cac3b832e306b6020c21b1b144d17d3b06253b3ec18153764fe
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
194KB
MD564faf5be4def7335c842f98f9ea28222
SHA169932c642918744e5698962e95f7147ad919b305
SHA25634c011d39216297b7b129ce75c9a8f15c9a95386bccabd01795a57f4db38e30f
SHA5121259cb57cc138a77e770a40999299d671be5cc4e875ed35eddfa3743113a909fcbd5da9345485ebb117dbfc97767ec099732879dbf5390b34dd20bcdfae13f07
-
Filesize
4KB
MD5ff23d6d7d10de036cc1cd0f96e54850f
SHA1bb680981cb1c6f25fd34033f9e80cc108e6ee28a
SHA256be4132032b4919b3c66f89b7500395416f2e5663bfa7d03b09b4be06f6919983
SHA5128b9403b4314534e9fe8170fcbdd2b309de9cbea3b3a5f891e41a5c16dbde6c510e9aac8d341a7721e4a096e8f39574b757f3aa203a6b6c76641448ba5b343a8d
-
Filesize
4KB
MD58c8df8de38c2b7fe02ef72207b6b0000
SHA103a63f686c6c6b039d0c4d4a3833c9d36ee2063f
SHA256d48b95ad36115d5e188bb64e7849161c0c89107b3c92aae833553c83af651ca1
SHA51229d55a5f7a88dae5b13f64d62adff79b4969e13197c45f297932096414ccb7be513ddc3736c0c0b0ebd415c155c89cb6c2b52f597569e49ef78c7020205e21d4
-
Filesize
434B
MD5ad29bd8c66e114ff57c943d16c78f72a
SHA15ab070ee89a36f38facae4dfc8ec5ce3e59af46e
SHA2566fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c
SHA512a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1
-
Filesize
129B
MD51df2fa1d35b622908a40d9e06c581af3
SHA1f01049603c74125049977aab424fb63fddf54543
SHA256c94b41abe119280975ec2ea908f64be2468db9c7c15cac9ef379ea8377ecc16f
SHA51204c5ab1eb56bd225f047c881d1b2ac09921238a6aee71b5189152c846149676c4df01541df809660bed93af1ae64e90fcf3be0d91b7c8928f91f9e3a01884c08
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB