fda3e17024fa1bfc3f4af7358c639e5f77a400ab90291f1a1cf6988fe1a531e8

General

Target

637efa15b6dbaeexeexeexeex.exe
Size

467KB
MD5

637efa15b6dbae93ddd0cb9137c09e08
SHA1

98b35aff49353c353675ae9b2a73eb80b34d59a2
SHA256

fda3e17024fa1bfc3f4af7358c639e5f77a400ab90291f1a1cf6988fe1a531e8
SHA512

c84e292dc3313b77e2b56b0d9dad2af05e21a2a22842c341446eb86b7baea1b8f5233f5e7097f46dde84f105a3af5954c97a7360e36c5d056993496a8889b086
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iSt4hB5py1ZW94F3A/AwgPfzVwcBJlwLkB31j5:Bb4bZudi79Lxbpy1ZQ4nrLls8ojmZAk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	1567.tmp

Executes dropped EXE 1 IoCs

pid	Process
3888	1567.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	1567.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3888	1567.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE
316	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3888	3576	637efa15b6dbaeexeexeexeex.exe	84
PID 3576 wrote to memory of 3888	3576	637efa15b6dbaeexeexeexeex.exe	84
PID 3576 wrote to memory of 3888	3576	637efa15b6dbaeexeexeexeex.exe	84
PID 3888 wrote to memory of 316	3888	1567.tmp	85
PID 3888 wrote to memory of 316	3888	1567.tmp	85

C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\1567.tmp
  "C:\Users\Admin\AppData\Local\Temp\1567.tmp" --helpC:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe CB919E29E6C758C3B07D6B37D41607500D8F2ED02DE2BC4FFB52DA25D3E389843DB4234D82073CC8042846CD22BD7D4A2AFC7E8F9018B30DD20BA32A1989AA94
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1567.tmp

Filesize
467KB

MD5
c8032eb6706c30d39419d023926b8947

SHA1
a88c51847c4994839fa70d6d2b4674eeea27a54e

SHA256
149682d0b083f8962c689f53c930c148955fdb8847a64a64d53417e2977a214d

SHA512
0a2b033a0c9f0bef44be5c46d2c65854c06a8d208815389ce173812fe74ff36f50a4be1dee5102d5a0e04bdb48bb48a921e6a05fa0e306df3dde2e9d144f4408

Download Submit
C:\Users\Admin\AppData\Local\Temp\1567.tmp

Filesize
467KB

MD5
c8032eb6706c30d39419d023926b8947

SHA1
a88c51847c4994839fa70d6d2b4674eeea27a54e

SHA256
149682d0b083f8962c689f53c930c148955fdb8847a64a64d53417e2977a214d

SHA512
0a2b033a0c9f0bef44be5c46d2c65854c06a8d208815389ce173812fe74ff36f50a4be1dee5102d5a0e04bdb48bb48a921e6a05fa0e306df3dde2e9d144f4408

Download Submit
C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/316-151-0x00007FF81F080000-0x00007FF81F090000-memory.dmp

Filesize
64KB

Download
memory/316-149-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-150-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-148-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-152-0x00007FF81F080000-0x00007FF81F090000-memory.dmp

Filesize
64KB

Download
memory/316-147-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-146-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-184-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-185-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-186-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download
memory/316-187-0x00007FF821650000-0x00007FF821660000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads