6f700f26d07ac71f871247af062375dc8a8c8aaf3209bc87a4345a0199dd6863

General

Target

loader_64.exe
Size

7.2MB
MD5

4dd5c68b13c477a52c78e73485da537d
SHA1

5350d568f3b8ad99187658b33d27d56b4b7e9a8b
SHA256

6f700f26d07ac71f871247af062375dc8a8c8aaf3209bc87a4345a0199dd6863
SHA512

49b76a238aedf81d8d3923692c2a8db315f2cb202c318add07e7a817a1150b3f176e5cafcd773b823659df26273b44cb8cdfbd7a729bc542773ce763b3876988
SSDEEP

196608:gI4xsACmyov6kJS6YXApBH8u9hX9eDOgZvz3rZdXZ7M7RVbZq:iIMCt4pBH8uDX9eDZZnq7U

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4872-0-0x00007FF71E1A0000-0x00007FF71F278000-memory.dmp	upx

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4648	WINWORD.EXE
4648	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE
4648	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\loader_64.exe
"C:\Users\Admin\AppData\Local\Temp\loader_64.exe"
1⤵
PID:4872

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
memory/4648-16-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-18-0x00007FFD40300000-0x00007FFD40310000-memory.dmp

Filesize
64KB

Download
memory/4648-3-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-2-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-5-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-6-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-7-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-8-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-9-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-10-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-11-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-12-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-13-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-14-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-15-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-67-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-4-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-19-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-17-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-20-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-21-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-22-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-24-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-23-0x00007FFD40300000-0x00007FFD40310000-memory.dmp

Filesize
64KB

Download
memory/4648-66-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-57-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-61-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-62-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-64-0x00007FFD82730000-0x00007FFD82925000-memory.dmp

Filesize
2.0MB

Download
memory/4648-63-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4648-65-0x00007FFD427B0000-0x00007FFD427C0000-memory.dmp

Filesize
64KB

Download
memory/4872-1-0x00007FF71E1A0000-0x00007FF71F278000-memory.dmp

Filesize
16.8MB

Download
memory/4872-0-0x00007FF71E1A0000-0x00007FF71F278000-memory.dmp

Filesize
16.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads