b94c2f056b77094f19068a7ecc1c59a428b0d6505f8e65f9d8172ebc4e7669c3 | Triage

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:54 UTC

Sharing

Report Analysis Logs

General

Target

c05c01fd318b74exeexeexeex.exe
Size

467KB
MD5

c05c01fd318b741f8b17cd6b91d471c8
SHA1

e6ea6ea94fd1ce09d8538386c3d8c7db81857906
SHA256

b94c2f056b77094f19068a7ecc1c59a428b0d6505f8e65f9d8172ebc4e7669c3
SHA512

2013e8c04c648b3476e4fec6fbbe143f035a1a1e3ff0ea374ee9e5c2f777bed039ae120a3be6621f184924a57c6ba057078b81683cb7ab18b35ecd178683ff57
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iSt7KxMgz6Nf3DQB+in9SLeP3QVD0ZKHKrpSGo:Bb4bZudi79LeKxTmrQBzusYDpKZ6Ak

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	7678.tmp

Executes dropped EXE 1 IoCs

pid	Process
1976	7678.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	7678.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3480	WINWORD.EXE
3480	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1976	7678.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE
3480	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1976	3300	c05c01fd318b74exeexeexeex.exe	83
PID 3300 wrote to memory of 1976	3300	c05c01fd318b74exeexeexeex.exe	83
PID 3300 wrote to memory of 1976	3300	c05c01fd318b74exeexeexeex.exe	83
PID 1976 wrote to memory of 3480	1976	7678.tmp	85
PID 1976 wrote to memory of 3480	1976	7678.tmp	85

C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\7678.tmp
  "C:\Users\Admin\AppData\Local\Temp\7678.tmp" --helpC:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe 7C5C19C73950EA667B67860AA2931ED6AE97593704EA868A62003ECC7006DFEEF04593BCC63C4797FA02B24ADBA16A66819810805B78E03FA6381C8573BE5C01
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3480

Network

DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

254.210.247.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.210.247.8.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

24.32.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

24.32.109.52.in-addr.arpa

IN PTR

Response
DNS

7.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

7.173.189.20.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

45.8.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.8.109.52.in-addr.arpa

IN PTR

Response
DNS

126.138.241.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

126.138.241.8.in-addr.arpa

IN PTR

Response
DNS

10.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.179.89.13.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

254.210.247.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.210.247.8.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

24.32.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

24.32.109.52.in-addr.arpa
8.8.8.8:53

7.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

7.173.189.20.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

45.8.109.52.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

45.8.109.52.in-addr.arpa
8.8.8.8:53

126.138.241.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

126.138.241.8.in-addr.arpa
8.8.8.8:53

10.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

10.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7678.tmp

Filesize
467KB

MD5
66ddcb336fb48b523570044b4e1a99bc

SHA1
55a569ecfd47b8b3e53be71692d19cd733f26fbd

SHA256
7e0583f591aff39123d6dee8b944d81c183f96042668e2197968325809eb5c85

SHA512
0dfd071162ced34a27792bfba0b883d69bf2693cc67f3c7b38a1d8c824aee664675cd63358008a98726b6553e12e4903c2f41400f3bfadcfc437e19e93dd51d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7678.tmp

Filesize
467KB

MD5
66ddcb336fb48b523570044b4e1a99bc

SHA1
55a569ecfd47b8b3e53be71692d19cd733f26fbd

SHA256
7e0583f591aff39123d6dee8b944d81c183f96042668e2197968325809eb5c85

SHA512
0dfd071162ced34a27792bfba0b883d69bf2693cc67f3c7b38a1d8c824aee664675cd63358008a98726b6553e12e4903c2f41400f3bfadcfc437e19e93dd51d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3480-151-0x00007FFE4D7D0000-0x00007FFE4D7E0000-memory.dmp

Filesize
64KB

Download
memory/3480-150-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-149-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-147-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-152-0x00007FFE4D7D0000-0x00007FFE4D7E0000-memory.dmp

Filesize
64KB

Download
memory/3480-148-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-146-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-187-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-188-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-189-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download
memory/3480-190-0x00007FFE4F8F0000-0x00007FFE4F900000-memory.dmp

Filesize
64KB

Download