75e5cc4a0b07d6ebe301388cb75527b992ce4cd1bd224fe7e6d6e63fbabefd89

General

Target

20799bc55b8c1ce917f3ccf363b6e5dc.exe
Size

48KB
MD5

20799bc55b8c1ce917f3ccf363b6e5dc
SHA1

8d56851f7d9fa6bb8e79961da2bebaaae23893f6
SHA256

75e5cc4a0b07d6ebe301388cb75527b992ce4cd1bd224fe7e6d6e63fbabefd89
SHA512

9e4471c856cf5e1e941983016964524eb09b2b688f681ccd4f118a99547ba78135a2f5b774e04da84eef2d8aca0b19feee4643f7e34249ae8e408cca494c673e
SSDEEP

768:wGxG8ftqr1Hq4nbAyUilCamQV2YlyW4Xw9cxK9uN3UAC8wTreLXP:wcrftqr1HXpUizCWPcxx/zAeLXP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	20799bc55b8c1ce917f3ccf363b6e5dc.exe

Deletes itself 1 IoCs

pid	Process
1440	abs.exe

Executes dropped EXE 3 IoCs

pid	Process
4016	kernel32.exe
1440	abs.exe
60	kernel32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel32.exe	kernel32.exe
File opened for modification	C:\Windows\SysWOW64\kernel32.exe	kernel32.exe
File created	C:\Windows\SysWOW64\kernel32.dfg	kernel32.exe
File created	C:\Windows\SysWOW64\kernel32.exe	kernel32.exe
File created	C:\Windows\SysWOW64\kernel32.asf	kernel32.exe
File created	C:\Windows\SysWOW64\00616.dat	kernel32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	20799bc55b8c1ce917f3ccf363b6e5dc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5012	WINWORD.EXE
5012	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	kernel32.exe
60	kernel32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	kernel32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe
1440	abs.exe
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE
5012	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4016	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	23
PID 3940 wrote to memory of 4016	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	23
PID 3940 wrote to memory of 4016	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	23
PID 3940 wrote to memory of 5012	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	22
PID 3940 wrote to memory of 5012	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	22
PID 3940 wrote to memory of 1440	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	21
PID 3940 wrote to memory of 1440	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	21
PID 3940 wrote to memory of 1440	3940	20799bc55b8c1ce917f3ccf363b6e5dc.exe	21
PID 60 wrote to memory of 616	60	kernel32.exe	97

C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.exe
"C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\AppData\Local\Temp\abs.exe
  "C:\Users\Admin\AppData\Local\Temp\abs.exe" C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.exe C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.doc
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\kernel32.exe
  "C:\Users\Admin\AppData\Local\Temp\kernel32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4016

C:\Windows\SysWOW64\kernel32.exe
C:\Windows\SysWOW64\kernel32.exe -k netsvcs
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20799bc55b8c1ce917f3ccf363b6e5dc.doc

Filesize
20KB

MD5
e34eea040e37629191291d77591e93ec

SHA1
c53623b4b5b6e1c6fb2cd3444b57d4854a261db1

SHA256
3086b360e0cd9d7ddf3e04f099d50a392325e7378821fe21d6ccb16eff4bec95

SHA512
e66372b178f6aab2247b47ecf8bee0fcd75504fbf7ba26e7d2c7fced0fa69add605adf0ab0073105dc7811ee11d6ac848335af4e158de74d21e29874c7bd18a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\abs.exe

Filesize
48KB

MD5
20799bc55b8c1ce917f3ccf363b6e5dc

SHA1
8d56851f7d9fa6bb8e79961da2bebaaae23893f6

SHA256
75e5cc4a0b07d6ebe301388cb75527b992ce4cd1bd224fe7e6d6e63fbabefd89

SHA512
9e4471c856cf5e1e941983016964524eb09b2b688f681ccd4f118a99547ba78135a2f5b774e04da84eef2d8aca0b19feee4643f7e34249ae8e408cca494c673e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kernel32.exe

Filesize
14KB

MD5
7cb65bc64fc13cf8bf95a1ff220c784e

SHA1
a54ad63f33ae7bc6bd19de627c8d3ba9293d5740

SHA256
4bebee57f3ca48df6a8ece900954484905a67aaa1806ff65933ba94f61c4f539

SHA512
7ca01662c1f2407d7555d0de8113f9945a58047a928a8569649ca7968a683cc1070b319c9de6a2655da80b1cd75c6fc5f806b69acd59c505273b4269cea57790

Download Submit
memory/60-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/60-58-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1440-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1440-41-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3940-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3940-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4016-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4016-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5012-42-0x00007FFBBF390000-0x00007FFBBF3A0000-memory.dmp

Filesize
64KB

Download
memory/5012-34-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-43-0x00007FFBBF390000-0x00007FFBBF3A0000-memory.dmp

Filesize
64KB

Download
memory/5012-36-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-35-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-33-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-31-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-29-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-27-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-39-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-19-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-37-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-38-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-40-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-32-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-69-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-28-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-71-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-91-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-92-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-95-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-96-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-94-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download
memory/5012-93-0x00007FFC01C70000-0x00007FFC01E65000-memory.dmp

Filesize
2.0MB

Download
memory/5012-90-0x00007FFBC1CF0000-0x00007FFBC1D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads