1648038fd245e6039979f6488029d56b06520d728a237af9ad471ee9d6189c3e

General

Target

MyPigPrincess.exe
Size

269KB
MD5

0abede34f4b18049c4dc7bddb9bb0080
SHA1

d6bfb7ea85482b345499cefd4e41cd7ce604637c
SHA256

1648038fd245e6039979f6488029d56b06520d728a237af9ad471ee9d6189c3e
SHA512

a4b172d1b3d9e8e5f3aabb5208066c30c03943b7bebfe3c759fc6c6592eca7273f9cec675bb603f6aeef5ff058a4ea4a34ef9ecd4485caeaeef9eb6d5d61cea3
SSDEEP

6144:AnAlOPl7hWKsmMrDZ6UhukTUG3EEXMsWtvV2j9OAq8ecUxILImQG8j:YrlNWKsmMrDZ6UhukTUG3EEXMsWtvV2s

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4696	WINWORD.EXE
4696	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3748	svchost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4696	WINWORD.EXE
4696	WINWORD.EXE
4696	WINWORD.EXE
4696	WINWORD.EXE
4696	WINWORD.EXE
4696	WINWORD.EXE
4696	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe
"C:\Users\Admin\AppData\Local\Temp\MyPigPrincess.exe"
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
dd0c1d22223d8d0e4e271a25a6576eb5

SHA1
24db1209d718bd8eb443da6eec2ee28d39aaecd8

SHA256
c5b636a315f8af0aac9068a2517dbb1fe136a77b9baefd12af102e65b28a13e2

SHA512
fe7568b22218c10b268c115f2209ffa8282777e354a9ce0980857879c0364f005fb6af69627e95286a8229191d34e97479498986c657c6d4a394e54731653195

Download Submit
memory/1876-0-0x0000000140000000-0x000000014004B000-memory.dmp

Filesize
300KB

Download
memory/3748-1-0x0000025D2F8A0000-0x0000025D2F8B0000-memory.dmp

Filesize
64KB

Download
memory/3748-17-0x0000025D2F9A0000-0x0000025D2F9B0000-memory.dmp

Filesize
64KB

Download
memory/3748-33-0x0000025D37D10000-0x0000025D37D11000-memory.dmp

Filesize
4KB

Download
memory/3748-35-0x0000025D37D30000-0x0000025D37D31000-memory.dmp

Filesize
4KB

Download
memory/3748-36-0x0000025D37D30000-0x0000025D37D31000-memory.dmp

Filesize
4KB

Download
memory/3748-37-0x0000025D37D40000-0x0000025D37D41000-memory.dmp

Filesize
4KB

Download
memory/4696-41-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-52-0x00007FFC22430000-0x00007FFC22440000-memory.dmp

Filesize
64KB

Download
memory/4696-40-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-43-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-42-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-45-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-44-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-46-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-47-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-48-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-49-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-50-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-51-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-39-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-53-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-54-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-55-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-56-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-57-0x00007FFC22430000-0x00007FFC22440000-memory.dmp

Filesize
64KB

Download
memory/4696-38-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-95-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-94-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-98-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-96-0x00007FFC24D90000-0x00007FFC24DA0000-memory.dmp

Filesize
64KB

Download
memory/4696-97-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-99-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-100-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download
memory/4696-101-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads