Overview

overview

10

Static

static

10

Document.doc.scr

windows7-x64

9

Document.doc.scr

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.doc.scr

  • Size

    194KB

  • MD5

    407ea767aa26ae13f9ff20d0999c8dda

  • SHA1

    07e615132ef78e827047ffc4cc6c9d44f5a976fd

  • SHA256

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4

  • SHA512

    6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02

  • SSDEEP

    3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
    "C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1596
    • C:\ProgramData\7E97.tmp
      "C:\ProgramData\7E97.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7E97.tmp >> NUL
        3⤵
          PID:4592
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1716
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{672560FC-7CB1-4898-AEAA-0A9827DA40CD}.xps" 133638647257810000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1456

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\MMMMMMMMMMM
        Filesize

        129B

        MD5

        215dbe4ce341d17c88d9a6f63151fb18

        SHA1

        13dae4153e269369d28c8c9167132e4e58c0ac19

        SHA256

        fb10ed3366b39acec2299d4f128fcc90cdf8b35174d9a7aac661b5439231c09e

        SHA512

        f1f1995bd0c03a7a64d87d6b12ce14c2a80f9eda90d78f2623f02795565593dc57650b5896ffef813ca6e579920ab0c7a29755e6c2ad1c02736a7ac340acc7bc

        Download Submit

      • C:\ProgramData\7E97.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FFFFFFFFFFFFFFFF
        Filesize

        194KB

        MD5

        214ff208953cc94264906f8243af66fa

        SHA1

        16bfad2f46d703968b048698d9b61b5d6d314463

        SHA256

        e46c54b33be6f74e487b340bd3a2df7286348a974ee5ce2d23d12e1def961eee

        SHA512

        0e7f7fcb633decd47647e2011b1a1d3d986316899eb1fc9399f9a7059db3d4bdeccadb05d863ce4b4bcffcdffe62b17805296fdc5f56ae9443e90b105544e3bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{9BF6BBB6-7AA7-4270-8703-7596DB765571}
        Filesize

        4KB

        MD5

        717b8533618484ebddfe1048c1abfd05

        SHA1

        b6a2573538528570269b3d6c30094bed58e4282a

        SHA256

        8b65044b98b2f35ae7e0421c429d8e0cd0abb063424c4b4cc30d31ea01b9ec2e

        SHA512

        edb191888ea994d8107b7298b4e36eff9b503e4a1bff5f59833854dbc80e4b4533f747786fdbe5560a32903e351b7ab9e47f0f3c8f91e9db658b0378e32dfb60

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        ca0b4c16b235fd769fb906901d730c92

        SHA1

        71074d7f63f177d70daf9069f14bcb253c7ab141

        SHA256

        ebb0297a957bfb0797f7ce76e2b021df8f86b2507dba17a665b1b3e833e69635

        SHA512

        1c6abc09e9ad0cdba98e658d69569962170f598490250ad0c344dc5e41280df69500f240e7c0efdab7b3120cd2396ebca4cd59684fd9a1a4734d2be7bd18027c

        Download Submit

      • C:\jC7CNxlVt.README.txt
        Filesize

        434B

        MD5

        ad29bd8c66e114ff57c943d16c78f72a

        SHA1

        5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

        SHA256

        6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

        SHA512

        a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\EEEEEEEEEEE
        Filesize

        129B

        MD5

        07644df029bb396ac99361b8dbb9ca5e

        SHA1

        c0a031226fc0a3ba21917bd6376b6b4e420be3ee

        SHA256

        051119686d36c5621aadfa8ab3e09e1508978643e8eda2dfd7d3645654dfff04

        SHA512

        792150bc027ce8f2714e93fdac0f93d8e85f2ee7390b16cbe4e892ebb3a4ea404eb436fc7c1965e95fe26717607b11151a20ad4eff74a6e95a18de9d68b498a4

        Download Submit

      • memory/936-2-0x0000000002D80000-0x0000000002D90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/936-0-0x0000000002D80000-0x0000000002D90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/936-1-0x0000000002D80000-0x0000000002D90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2738-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2742-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2740-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2739-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2741-0x00007FF7CDFD0000-0x00007FF7CDFE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2771-0x00007FF7CB710000-0x00007FF7CB720000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1456-2772-0x00007FF7CB710000-0x00007FF7CB720000-memory.dmp

        Filesize

        64KB

        Download