d37779e16a92da7bd05eae50c64b36e2e2022eb441382be686fda4dbd1800e90

General

Target

WindowsCodecs.dll
Size

10KB
MD5

c7b906017453f3ce54da40a98c1a55ab
SHA1

5b9121f627af1b308c31f6a4711621738b09044b
SHA256

47074a6d033966d07e4587705401533ad6c5fa2b11303c520a37999337d1a1eb
SHA512

51a6cc86f5968f5b6badc4283eb2405e4d6f4ff3f7e58dcd6283d81bfef56f1a0cfcdc0dc7378a3daac6ae74e2e9f5c5290a223b51d3890bfc61431988dc4180
SSDEEP

96:VBFdaEA1lrAcH5ocDxoouJo4rvPhZJOu6sQRB0GyURTzSDQrO7V:LaEuZfDaJ/hEBZBcQrU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3124 timeout.exe

pid	process
3124	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4108 taskkill.exe
3868 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4032 WINWORD.EXE
4032 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4108 taskkill.exe
Token: SeDebugPrivilege 3868 taskkill.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

4032 WINWORD.EXE
4032 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE
4032 WINWORD.EXE

pid	process
4108	taskkill.exe
3868	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000_Classes\Local Settings	cmd.exe

pid	process
4032	WINWORD.EXE
4032	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe

pid	process
4032	WINWORD.EXE
4032	WINWORD.EXE

pid	process
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE
4032	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1484 wrote to memory of 4836	1484	rundll32.exe	cmd.exe
PID 1484 wrote to memory of 4836	1484	rundll32.exe	cmd.exe
PID 4836 wrote to memory of 2848	4836	cmd.exe	WScript.exe
PID 4836 wrote to memory of 2848	4836	cmd.exe	WScript.exe
PID 2848 wrote to memory of 2108	2848	WScript.exe	cmd.exe
PID 2848 wrote to memory of 2108	2848	WScript.exe	cmd.exe
PID 4836 wrote to memory of 3364	4836	cmd.exe	attrib.exe
PID 4836 wrote to memory of 3364	4836	cmd.exe	attrib.exe
PID 2108 wrote to memory of 2216	2108	cmd.exe	chcp.com
PID 2108 wrote to memory of 2216	2108	cmd.exe	chcp.com
PID 2108 wrote to memory of 3124	2108	cmd.exe	timeout.exe
PID 2108 wrote to memory of 3124	2108	cmd.exe	timeout.exe
PID 4836 wrote to memory of 4032	4836	cmd.exe	WINWORD.EXE
PID 4836 wrote to memory of 4032	4836	cmd.exe	WINWORD.EXE
PID 4836 wrote to memory of 4108	4836	cmd.exe	taskkill.exe
PID 4836 wrote to memory of 4108	4836	cmd.exe	taskkill.exe
PID 2108 wrote to memory of 3868	2108	cmd.exe	taskkill.exe
PID 2108 wrote to memory of 3868	2108	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3364 attrib.exe

pid	process
3364	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WindowsCodecs.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c calc.cmd
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2216

C:\Windows\system32\timeout.exe
timeout 300
5⤵
- Delays execution with timeout.exe
PID:3124

C:\Windows\system32\taskkill.exe
taskkill /im msedge.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\system32\attrib.exe
attrib -h -r /s
3⤵
- Views/modifies file attributes
PID:3364

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\war.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\system32\taskkill.exe
taskkill /F /IM "war .EXE"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.bat

Filesize
574B

MD5
1c28e4650b89c53b1bfbaa681df69b6e

SHA1
4a35b98da5127ee907cd861089a67ee921f001d9

SHA256
f772458b163fdf1a1a22fceedfa822174f7ba622e71347473bf543ee617c9150

SHA512
85483b4f8b274d1b3f498aa94b51b5d1cd3b4644d3d1e43c22d74b496fbaf98d25c694888d7e72f498031f22f8c44c82377a6b3fdc5bca8c6f895172d532d3d0

Download Submit
C:\ProgramData\488354ce-01ce-4d45-b47a-88701d40c52a.vbs

Filesize
130B

MD5
9db9550d272e9aeac7d7f4e0e4992e49

SHA1
a64f1d2de1105a1c231db36e35b5aa49b5d4a67f

SHA256
dea3e44a690518ac8661d541ce6420ad62c0675ff1f048f96d3914238c05729f

SHA512
fa6c0564cad085039a58f646ec26ea2a7e577e833ece5219b5e62ccb1effab013bf690fbe6fc032a3e55e7525cffe1476b607b173a5636f3ad27cb8891252318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4032-19-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-21-0x00007FFC497A0000-0x00007FFC497B0000-memory.dmp

Filesize
64KB

Download
memory/4032-10-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-11-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-12-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-13-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-14-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-15-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-16-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-17-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-18-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-8-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-20-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-9-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-22-0x00007FFC497A0000-0x00007FFC497B0000-memory.dmp

Filesize
64KB

Download
memory/4032-7-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-50-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-51-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-52-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-77-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-78-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-79-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-81-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-80-0x00007FFC4BC10000-0x00007FFC4BC20000-memory.dmp

Filesize
64KB

Download
memory/4032-82-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-84-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download
memory/4032-83-0x00007FFC8BB90000-0x00007FFC8BD85000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads