30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb

General

Target

30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe
Size

3.9MB
MD5

92263c40931a39f74b9f9103e967ab73
SHA1

df5fe993b0ef135a831a7bf9484df1d35ecb1f78
SHA256

30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb
SHA512

3b4650ef220daabc5b1350032e0d1307b70e0135681646e7a26e46a10310ab2b84016429e3322bf3014c38f726e0b7bb78f2fc72fe6ff2776954df7685495064
SSDEEP

49152:qmxlNVWJBKvboxLvLg0JJnYKLZc5ZvIRMoqJ3P+:qmxb+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
896	4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1248	WINWORD.EXE
1248	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1248	WINWORD.EXE
1248	WINWORD.EXE
1248	WINWORD.EXE
1248	WINWORD.EXE
1248	WINWORD.EXE
1248	WINWORD.EXE
1248	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2272	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	85
PID 2300 wrote to memory of 2272	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	85
PID 2300 wrote to memory of 1528	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	88
PID 2300 wrote to memory of 1528	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	88
PID 1528 wrote to memory of 896	1528	cmd.exe	90
PID 1528 wrote to memory of 896	1528	cmd.exe	90
PID 2300 wrote to memory of 1488	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	91
PID 2300 wrote to memory of 1488	2300	30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe	91
PID 2272 wrote to memory of 1248	2272	cmd.exe	93
PID 2272 wrote to memory of 1248	2272	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe
"C:\Users\Admin\AppData\Local\Temp\30290500699597a4c11ede5ae6d624f44afee2132e630c266d85506f1fc5e3fb.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k start a.docx
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1248
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c C:\Windows\Temp\4.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\Temp\4.exe
    C:\Windows\Temp\4.exe
    3⤵
    - Executes dropped EXE
    PID:896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del outfile.exe
  2⤵
  PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a.docx

Filesize
9KB

MD5
69a8e4d41bd53f52922d89d2247c556b

SHA1
6440bec7ae4a10dac314de2d842a6227ff17bc16

SHA256
242389c57507a3b5c1da5af2eca1ada4f2a248434352aa52d88075c52ce34ead

SHA512
225f6cddf3c023c0d8079e1eef363ffa8f0575e13ddef594172488262d2d23d1f70c5a16e4faaed15db51bdfc64a1eb587288ebc0ea3592fd04d9edffd69876c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\Temp\4.exe

Filesize
1.7MB

MD5
6eded1e524244c958fab87fe9895c84e

SHA1
efb4098ba388c876eeb479cf5614c86bc6f55d0d

SHA256
f3182cf783fd2051e547c50a70a08fc94869481b99b7e2937fd87e25081c524d

SHA512
433feb9f7998f409b94cfa5e3a69f5fad6a5dfbd60d4edf6fb7f9d5ee75a65c8de41cc65a9bd21581564477f738369333b12e06b549c248920e8494832239b7f

Download Submit
C:\Windows\Temp\4.exe

Filesize
1.7MB

MD5
6eded1e524244c958fab87fe9895c84e

SHA1
efb4098ba388c876eeb479cf5614c86bc6f55d0d

SHA256
f3182cf783fd2051e547c50a70a08fc94869481b99b7e2937fd87e25081c524d

SHA512
433feb9f7998f409b94cfa5e3a69f5fad6a5dfbd60d4edf6fb7f9d5ee75a65c8de41cc65a9bd21581564477f738369333b12e06b549c248920e8494832239b7f

Download Submit
memory/896-43-0x0000000140000000-0x00000001402D6000-memory.dmp

Filesize
2.8MB

Download
memory/896-7-0x0000000140000000-0x00000001402D6000-memory.dmp

Filesize
2.8MB

Download
memory/1248-22-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-21-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-12-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-13-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-14-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-15-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-16-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-17-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-18-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-19-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-20-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-23-0x00007FF9C0620000-0x00007FF9C0630000-memory.dmp

Filesize
64KB

Download
memory/1248-10-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-24-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-25-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-11-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-27-0x00007FF9C0620000-0x00007FF9C0630000-memory.dmp

Filesize
64KB

Download
memory/1248-26-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-9-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-75-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-44-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-45-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-46-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-69-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-70-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-71-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/1248-74-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-73-0x00007FFA029B0000-0x00007FFA02BA5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-72-0x00007FF9C2A30000-0x00007FF9C2A40000-memory.dmp

Filesize
64KB

Download
memory/2300-6-0x00007FF7E5C40000-0x00007FF7E6033000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads