Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-05-2024 10:01
Behavioral task
behavioral1
Sample
Predstavlenie № 6-51-2024 .docx.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$TEMP/rupedoras.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$TEMP/zapros.docx
Resource
win10-20240404-en
General
-
Target
Predstavlenie № 6-51-2024 .docx.exe
-
Size
11.3MB
-
MD5
45ae0c08a1fb98fe77e4cd127b79ef7d
-
SHA1
12c7847fc2567ee9e6c0010f5c311753c017fa48
-
SHA256
bb8165b8f60818061d12cac775d8d41436b16c9b40e01071fca7fb96f6ef435e
-
SHA512
21cc13630fc1fe3bea4d45e356e63d4e94db7357040793b4d091ef75b2cf05191037380c493b944d1ecf748b9bd9935f1f91ba0c8654c57dbbe4530ab4fff4cd
-
SSDEEP
196608:fxtCbFLyXyLm+2WzU4qrVTcHHRBTue9iSoCVMbgb/x3/18afx:fWxL4S2kCVsHRsekTCVxhjx
Malware Config
Signatures
-
DarkTrack payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack behavioral1/memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmp family_darktrack -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rupedoras.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rupedoras.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rupedoras.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rupedoras.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rupedoras.exe -
Executes dropped EXE 1 IoCs
Processes:
rupedoras.exepid process 4388 rupedoras.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rupedoras.exe themida behavioral1/memory/4388-200-0x0000000000400000-0x0000000001F60000-memory.dmp themida behavioral1/memory/4388-201-0x0000000000400000-0x0000000001F60000-memory.dmp themida behavioral1/memory/4388-711-0x0000000000400000-0x0000000001F60000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/memory/2152-701-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral1/memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral1/memory/2152-702-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral1/memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral1/memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral1/memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Predstavlenie № 6-51-2024 .docx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\KWn3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rupedoras.exe" Predstavlenie № 6-51-2024 .docx.exe -
Processes:
rupedoras.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rupedoras.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rupedoras.exepid process 4388 rupedoras.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rupedoras.exedescription pid process target process PID 4388 set thread context of 2152 4388 rupedoras.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
Predstavlenie № 6-51-2024 .docx.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings Predstavlenie № 6-51-2024 .docx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rupedoras.exepid process 4388 rupedoras.exe 4388 rupedoras.exe 4388 rupedoras.exe 4388 rupedoras.exe 4388 rupedoras.exe 4388 rupedoras.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AddInProcess32.exepid process 2152 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rupedoras.exedescription pid process Token: SeDebugPrivilege 4388 rupedoras.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE 2892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Predstavlenie № 6-51-2024 .docx.exerupedoras.exedescription pid process target process PID 344 wrote to memory of 2892 344 Predstavlenie № 6-51-2024 .docx.exe WINWORD.EXE PID 344 wrote to memory of 2892 344 Predstavlenie № 6-51-2024 .docx.exe WINWORD.EXE PID 344 wrote to memory of 4388 344 Predstavlenie № 6-51-2024 .docx.exe rupedoras.exe PID 344 wrote to memory of 4388 344 Predstavlenie № 6-51-2024 .docx.exe rupedoras.exe PID 344 wrote to memory of 4388 344 Predstavlenie № 6-51-2024 .docx.exe rupedoras.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 1276 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe PID 4388 wrote to memory of 2152 4388 rupedoras.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe"C:\Users\Admin\AppData\Local\Temp\Predstavlenie № 6-51-2024 .docx.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapros.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\rupedoras.exeC:\Users\Admin\AppData\Local\Temp\rupedoras.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TCDB01A.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\rupedoras.exeFilesize
11.2MB
MD5d483c1a9718cf5d880b3cce5d6ff7423
SHA172be5e949dd6923a43e7eaab1811baea4bc4b644
SHA2568df595a1528a09fdcfe237a7dd1009d1380a886875747d1b145925968463f7bd
SHA512370e220b3bdb617a12479db075ee26741075306ce7a72237115b2d79c452baadf931ccf3b422e9d0ef1eb0138316c3233f3ecd27074f3e797dc20ee974eb6fe4
-
C:\Users\Admin\AppData\Local\Temp\zapros.docxFilesize
11KB
MD59871272af8b06b484f0529c10350a910
SHA1707979b027f371989fb71e36795b652a2d466592
SHA256c2a256547433bec8d7afbed923f453eb2df978f18ed498e82bb2b244b126a9f3
SHA5125bd60de706ed3ef717177b08fa69ebc8117fe52bf53e896b91d102430b4b976b136f2df75fe4d1cb9cf16f5e73052e030e364bdf212148b1471e9c2b99f76a4c
-
memory/2152-706-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2152-707-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2152-705-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2152-702-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2152-704-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2152-701-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2892-12-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-694-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-16-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-4-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmpFilesize
64KB
-
memory/2892-20-0x00007FFA2FAE0000-0x00007FFA2FAF0000-memory.dmpFilesize
64KB
-
memory/2892-19-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-21-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-23-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-22-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-24-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-25-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-26-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-27-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-28-0x00007FFA2FAE0000-0x00007FFA2FAF0000-memory.dmpFilesize
64KB
-
memory/2892-13-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-14-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-5-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmpFilesize
64KB
-
memory/2892-6-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmpFilesize
64KB
-
memory/2892-7-0x00007FFA72D15000-0x00007FFA72D16000-memory.dmpFilesize
4KB
-
memory/2892-8-0x00007FFA32D00000-0x00007FFA32D10000-memory.dmpFilesize
64KB
-
memory/2892-9-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-10-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-697-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-695-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-696-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-15-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-11-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/2892-639-0x00007FFA72C70000-0x00007FFA72E4B000-memory.dmpFilesize
1.9MB
-
memory/4388-243-0x00000000082D0000-0x00000000082D6000-memory.dmpFilesize
24KB
-
memory/4388-213-0x0000000008270000-0x000000000828A000-memory.dmpFilesize
104KB
-
memory/4388-211-0x0000000006E50000-0x0000000006E5A000-memory.dmpFilesize
40KB
-
memory/4388-210-0x0000000006DA0000-0x0000000006DE4000-memory.dmpFilesize
272KB
-
memory/4388-698-0x0000000000400000-0x0000000001F60000-memory.dmpFilesize
27.4MB
-
memory/4388-209-0x00000000069E0000-0x0000000006A7C000-memory.dmpFilesize
624KB
-
memory/4388-205-0x0000000006920000-0x00000000069B2000-memory.dmpFilesize
584KB
-
memory/4388-202-0x00000000063C0000-0x00000000068BE000-memory.dmpFilesize
5.0MB
-
memory/4388-201-0x0000000000400000-0x0000000001F60000-memory.dmpFilesize
27.4MB
-
memory/4388-200-0x0000000000400000-0x0000000001F60000-memory.dmpFilesize
27.4MB
-
memory/4388-59-0x0000000000400000-0x0000000001F60000-memory.dmpFilesize
27.4MB
-
memory/4388-711-0x0000000000400000-0x0000000001F60000-memory.dmpFilesize
27.4MB