d212718eb644c7803f73dc13b55536e84263a3f959219bd067dc4092a2095b15

General

Target

Document.doc.scr
Size

194KB
MD5

6fd558cf3add096970e15d1e62ca1957
SHA1

78e95fabcfe8ef7bb6419f8456deccc3d5fa4c23
SHA256

41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898
SHA512

fac7efe9b76f9b6a917f8751f5be64ad8e067e5404fe05f3e9d7781ea3661a06c0baaac676a6023eb4a0b7f01bc2bb2d64d572f85aec8ad8de35cc7f106e1fdc
SSDEEP

3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (355) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

43C4.tmp

pid process

2332 43C4.tmp
Executes dropped EXE 1 IoCs

Processes:

43C4.tmp

pid process

2332 43C4.tmp
Loads dropped DLL 1 IoCs

Processes:

Document.doc.scr

pid process

2168 Document.doc.scr
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini	Document.doc.scr

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\AAtvmKv4L.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr43C4.tmp

pid process

2168 Document.doc.scr
2168 Document.doc.scr
2168 Document.doc.scr
2168 Document.doc.scr
2332 43C4.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L\ = "AAtvmKv4L"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAtvmKv4L\DefaultIcon\ = "C:\\ProgramData\\AAtvmKv4L.ico"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.AAtvmKv4L	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Document.doc.scr

pid	process
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr
2168	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

43C4.tmp

pid	process
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp
2332	43C4.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeDebugPrivilege	2168	Document.doc.scr
Token: 36	2168	Document.doc.scr
Token: SeImpersonatePrivilege	2168	Document.doc.scr
Token: SeIncBasePriorityPrivilege	2168	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	2168	Document.doc.scr
Token: 33	2168	Document.doc.scr
Token: SeManageVolumePrivilege	2168	Document.doc.scr
Token: SeProfSingleProcessPrivilege	2168	Document.doc.scr
Token: SeRestorePrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSystemProfilePrivilege	2168	Document.doc.scr
Token: SeTakeOwnershipPrivilege	2168	Document.doc.scr
Token: SeShutdownPrivilege	2168	Document.doc.scr
Token: SeDebugPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeBackupPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr
Token: SeSecurityPrivilege	2168	Document.doc.scr

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Document.doc.scr43C4.tmp

description	pid	process	target process
PID 2168 wrote to memory of 2332	2168	Document.doc.scr	43C4.tmp
PID 2168 wrote to memory of 2332	2168	Document.doc.scr	43C4.tmp
PID 2168 wrote to memory of 2332	2168	Document.doc.scr	43C4.tmp
PID 2168 wrote to memory of 2332	2168	Document.doc.scr	43C4.tmp
PID 2168 wrote to memory of 2332	2168	Document.doc.scr	43C4.tmp
PID 2332 wrote to memory of 2576	2332	43C4.tmp	cmd.exe
PID 2332 wrote to memory of 2576	2332	43C4.tmp	cmd.exe
PID 2332 wrote to memory of 2576	2332	43C4.tmp	cmd.exe
PID 2332 wrote to memory of 2576	2332	43C4.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\ProgramData\43C4.tmp
"C:\ProgramData\43C4.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\43C4.tmp >> NUL
3⤵
PID:2576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

Filesize
129B

MD5
83010fdc880a1dc57dd4ba17ee57ae99

SHA1
7d114fcd37e3fff29dfdeb2b0ff19f209bfe93cd

SHA256
2d06d126162e6a3ae7aae780b02b30aae2ee4b968db9656bb9631fab009c363a

SHA512
77064d7ff90b27c99066ec76498615c05a75c8ce75b54ae7547f8cf411fd9fda7304a7f64159863a80e6a739448758bab3601bfbc9bfdb6396531e0998985a34

Download Submit
C:\AAtvmKv4L.README.txt

Filesize
434B

MD5
b4709a56b9d7f431da172316cda720be

SHA1
d2132f7129a7003ec4c0392f0f08cd24ea353da6

SHA256
192d1e6078570865531e8a4c9840a483c4a2ac35fe468107284991f6da813191

SHA512
e390d51e95db5e56c666a2895dc87dab41d97e7ce3c0df1f2466abf14a651167232521ab5f52746d16bab0ef14e6c0ee9dcfe29894604d695b0d064909378227

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD

Filesize
194KB

MD5
ef0f13b903f00ae25c47533aa6e00ca6

SHA1
4f9b39f5be2210138165a4939c44812731e9e655

SHA256
c53060ae37be8a4633513f30c176366c677eb0f72a7ae0530ee1d9e1d66c8395

SHA512
dea6c1f29d52e889888817fddcf9b0ee8a409134be00af36bc71cf7206f01d941e74f0fc98e94c0620f44438ef3cb85c6d7d30027769b1ec0201e6ba678eccc4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

Filesize
129B

MD5
d55bf0642872c22b0e0e38e25a5826c7

SHA1
39c2645e54a28ab8ae0c1cd29f333bd3b128140f

SHA256
679f371dbc80bd389bf1f2c1b7d130136d4a51e6ae66d3acf2d555f9929eb330

SHA512
517cf332077e1324d779cd1be69e4ef2832c50869c4cf4df926a4befb678c54b598fed84385503b17eb8d6c5d852c343b7d8f69e0407ae8e99c9af2da8e5d1b6

Download Submit
\ProgramData\43C4.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2168-0-0x0000000000E90000-0x0000000000ED0000-memory.dmp

Filesize
256KB

Download
memory/2332-882-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/2332-881-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2332-884-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/2332-912-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2332-913-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2332-914-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2332-915-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads