9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144

General

Target

a.exe
Size

2.3MB
MD5

ee9a10cc6bd9f7796059ae02ba639f1e
SHA1

23747dee593504e58b971aebe0c141ec6c731f06
SHA256

9e1dffbe4c8972181a53065138ee824127dcef0f9b86d3053f496e1ddb4f4144
SHA512

0ae1239ea582fb113e7598005835c40327dab40f4e4c72c2b18c1344cba32adc769d18f719c4ce92a2be6c9875379ca1c3f493c44c7a799f8078aff7ccf0efdc
SSDEEP

49152:DI10S/UlnJt37NunQ7Djx4Z1OeAps9EWwPgTRNMWhJve8IWye3bJAsjrXh1:DI10blJuGuZgeAp9WjNp5e1Wye3bO8Dz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	agentaez1y.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	agentaez1y.exe
4960	intagext.exe

Loads dropped DLL 1 IoCs

pid	Process
4960	intagext.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	intagext.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	intagext.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2076	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3872	WINWORD.EXE
3872	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3876	a.exe
3876	a.exe
1828	agentaez1y.exe
1828	agentaez1y.exe
1828	agentaez1y.exe
1828	agentaez1y.exe
1828	agentaez1y.exe
1828	agentaez1y.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3876	a.exe
Token: SeDebugPrivilege	4960	intagext.exe
Token: SeDebugPrivilege	4960	intagext.exe
Token: SeDebugPrivilege	4960	intagext.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE
3872	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 3872	3876	a.exe	85
PID 3876 wrote to memory of 3872	3876	a.exe	85
PID 3876 wrote to memory of 1828	3876	a.exe	86
PID 3876 wrote to memory of 1828	3876	a.exe	86
PID 3876 wrote to memory of 1828	3876	a.exe	86
PID 3876 wrote to memory of 3908	3876	a.exe	87
PID 3876 wrote to memory of 3908	3876	a.exe	87
PID 3876 wrote to memory of 3908	3876	a.exe	87
PID 1828 wrote to memory of 4960	1828	agentaez1y.exe	101
PID 1828 wrote to memory of 4960	1828	agentaez1y.exe	101
PID 1828 wrote to memory of 4960	1828	agentaez1y.exe	101
PID 1828 wrote to memory of 4536	1828	agentaez1y.exe	102
PID 1828 wrote to memory of 4536	1828	agentaez1y.exe	102
PID 1828 wrote to memory of 4536	1828	agentaez1y.exe	102
PID 4536 wrote to memory of 2076	4536	cmd.exe	104
PID 4536 wrote to memory of 2076	4536	cmd.exe	104
PID 4536 wrote to memory of 2076	4536	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3872
- C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe
  "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe
    "C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 0.0.0.0 & del "C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0.0.0.0
      4⤵
      Runs ping.exe
      PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\a.exe > nul
  2⤵
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Accounts\goopdate.dll

Filesize
544KB

MD5
0b06c23090150af11511a2b8d2c80612

SHA1
a4561633c0e67210e63e10b5177eebb6213d6465

SHA256
84f7b9759a098ddbd0c6f624fc4f545efe128260a5fcfcd12d86b95ffe128a41

SHA512
3a5d5ade016ffcc2404d7763ca2eb604525f77508798fdefe8d75e84808ab914ea096202c8a85ad2381c6c05f015d441c43d6cd08bbed9f376e68155c73172a3

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\intagext.exe

Filesize
193KB

MD5
39342d0d279b0eb767292c3e01150da6

SHA1
69e26aaf3bf889df7f3c6c3d1b43099080ec6b76

SHA256
d2b417cf6a903c7154fe07fad1f5eaca9b0b3c5a7a7e80cf1bf16449fc7d24d9

SHA512
70e5d6f52a56bfc82c973694cf84a35663d61f262858e8152bf9aaf381ae1e1135cc3111a30c9d0aae6cdbf457a38780a5f860fe8706e7794987bc1e2248c429

Download Submit
C:\ProgramData\Microsoft\Windows\Accounts\theme.dat

Filesize
719KB

MD5
68915d3de90380d224d6deeb8927430e

SHA1
26d2a331265cae0d6cbd2d88a033756957ec00bf

SHA256
a5f918463ef5cd3156595dae0bb12e9e55e18f3bb41f6804dfe741807dd8f544

SHA512
05e6a771a0c2b52fd32595f58fb8cb26cfc0008d7aeb89385fb46f1a135360833b232f4e7086cbdf3d9e7b43c7c7a119e9499c3e4bba8b0b0084a524520360ad

Download Submit
C:\ProgramData\Microsoft\eHome\thumbcache.dat

Filesize
14KB

MD5
7d7e2577c36ab7c3b241e48c2bd33db4

SHA1
63e61c131e4e3892012440a1c71b2715daf7a250

SHA256
d8103c20988c79e1bf5f4394a83bcf41980ec816a01ff582960b622985dfae71

SHA512
d5234a63bc632b66e1e231bc284d955cfa0ff079bb16615b5829b395c7fe578ed574dc03d8400d938c3569374199b650d22ff5264a00623188f6bd63a7b38100

Download Submit
C:\Users\Admin\AppData\Local\Temp\agentaez1y.exe

Filesize
2.2MB

MD5
1161070b198d3a360bb699a58197c102

SHA1
f2872fc4101fa4781c6f7206e50eae3d1c5e79e2

SHA256
30f58490b5ac155bd5fab3a72e2d112dbfa599670b3d6fcdf9150aee0f9c4810

SHA512
da99f707f0d462592135161dfd80978e229fa0ec672dffcfa8c7b63c2518111cfcee144861385528b92c3ec112010acf46096b31fddfdcfdfa878c7b91eaa6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\桂台两会提案.docx

Filesize
11KB

MD5
4363693fba849bb28412a957f2ab9be1

SHA1
9439d4bc731e970603eec1936eb338a3f32a324a

SHA256
4dc5394a0963dce4eb12f186ff47432ab121eb024bbc3cf40d60b21bcc3a0af2

SHA512
27c31791bddb37891ea064b1e3654880904cefe5d370ae93f26aaf52273ac1de5e811c389b44bdf06fb1767061a76b3fefa259f971382d71742415f3a9f206c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1828-30-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1828-150-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1828-55-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/3872-14-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-20-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-26-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-28-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-25-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-29-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-31-0x00007FF839CD0000-0x00007FF839CE0000-memory.dmp

Filesize
64KB

Download
memory/3872-32-0x00007FF839CD0000-0x00007FF839CE0000-memory.dmp

Filesize
64KB

Download
memory/3872-22-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-54-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-24-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-23-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-21-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-27-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-188-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-18-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-19-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-151-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-152-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-187-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/3872-182-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-183-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-184-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-185-0x00007FF83BD90000-0x00007FF83BDA0000-memory.dmp

Filesize
64KB

Download
memory/3872-186-0x00007FF87BD10000-0x00007FF87BF05000-memory.dmp

Filesize
2.0MB

Download
memory/4960-157-0x0000000002C70000-0x0000000002D1E000-memory.dmp

Filesize
696KB

Download
memory/4960-64-0x0000000010000000-0x00000000100AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads