aa723e997d3d20b7118fed95c75a5a88e835fa152a684bafd4de2469482ec476

General

Target

a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe
Size

2.0MB
MD5

397acc39bb34ccc49fa72cb2e56110db
SHA1

c9e6811fe50c23cdc5875b1fa33df727feaf61fa
SHA256

a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46
SHA512

2b9effed3e5d4231fb63f593e850d53b5e6c3e32819201862038862a3c67db1678ee44052a926d818c290f85ad5a9087b3fa9f38cca304dd2fe478a2504061ef
SSDEEP

49152:OFUcx88PWPOpX0SFNUVrFhVJeVWhKvIFtz27JkskDx8XoTa9T7bPRyGc:O+K88uPCH/whdeghGbxpRyGc

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	8647.tmp

Executes dropped EXE 1 IoCs

pid	Process
3904	8647.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8647.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	8647.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1460	WINWORD.EXE
1460	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3904	8647.tmp

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE
1460	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 3904	872	a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe	84
PID 872 wrote to memory of 3904	872	a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe	84
PID 872 wrote to memory of 3904	872	a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe	84
PID 3904 wrote to memory of 1460	3904	8647.tmp	93
PID 3904 wrote to memory of 1460	3904	8647.tmp	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe
"C:\Users\Admin\AppData\Local\Temp\a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\8647.tmp
  "C:\Users\Admin\AppData\Local\Temp\8647.tmp" --splashC:\Users\Admin\AppData\Local\Temp\a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.exe 5172A7ECA9EF924BCC2BD0DD5639C96696416C1C12DC22D26AC9AA0E140BAB71640CD779D80F74B6DE6127068CC130971AB36A5A33F66B7DA4232673BA797330
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8647.tmp

Filesize
2.0MB

MD5
0daf1f8cfb9669f5503cbe3c9191e587

SHA1
ebfd03748717f3d6b4fe7ed5b1c3a1e7c2253e6a

SHA256
1aa63030e1cec6e57fb8793a68264fdbdc6a3523b572b30c4dc076a964d221d9

SHA512
1d977dad7377764fc82fcb965757f2f52b09280230076193c80e80d0de242d2b0bfee780940108221e65c83c0709a661eecf93b8e5a431a66671fc2cae67d531

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9a0a5db1e1d5058b3763a26a10ea50588f839b7ec1746a7a109e6f049a96e46.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
memory/872-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1460-22-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-21-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-14-0x00007FFB8402D000-0x00007FFB8402E000-memory.dmp

Filesize
4KB

Download
memory/1460-13-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1460-12-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1460-15-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1460-17-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-20-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-19-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-23-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-24-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-46-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-25-0x00007FFB41F80000-0x00007FFB41F90000-memory.dmp

Filesize
64KB

Download
memory/1460-11-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1460-18-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/1460-27-0x00007FFB41F80000-0x00007FFB41F90000-memory.dmp

Filesize
64KB

Download
memory/1460-26-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-16-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-28-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-29-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-30-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-31-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-33-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/1460-32-0x00007FFB83F90000-0x00007FFB84185000-memory.dmp

Filesize
2.0MB

Download
memory/3904-5-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads