a4dce07d8b19d30313f6a41627649420e1217b6559236c1dcf45bb99d586bc24

General

Target

b2540f88d50f47eea407048f20ae3eea.exe
Size

465KB
MD5

b2540f88d50f47eea407048f20ae3eea
SHA1

e43bf507f63f8c4dc43ed118defdf2d1af7e6642
SHA256

a4dce07d8b19d30313f6a41627649420e1217b6559236c1dcf45bb99d586bc24
SHA512

73ca967bd71a91205390d9d6c8863035008e33fc9ec91969f0c29e005fd6c58764e6bde6a0ff48f7eedd6ebe96f1e893b942782ae9c04265412de3d7d49732c2
SSDEEP

12288:Bb4bZudi79L0dbHVRK7IbczHNJWY+7AA:Bb4bcdkL0uHtJ9+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	5738.tmp

Executes dropped EXE 1 IoCs

pid	Process
3608	5738.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	5738.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1780	WINWORD.EXE
1780	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3608	5738.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE
1780	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 3608	4460	b2540f88d50f47eea407048f20ae3eea.exe	88
PID 4460 wrote to memory of 3608	4460	b2540f88d50f47eea407048f20ae3eea.exe	88
PID 4460 wrote to memory of 3608	4460	b2540f88d50f47eea407048f20ae3eea.exe	88
PID 3608 wrote to memory of 1780	3608	5738.tmp	94
PID 3608 wrote to memory of 1780	3608	5738.tmp	94

C:\Users\Admin\AppData\Local\Temp\b2540f88d50f47eea407048f20ae3eea.exe
"C:\Users\Admin\AppData\Local\Temp\b2540f88d50f47eea407048f20ae3eea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\5738.tmp
  "C:\Users\Admin\AppData\Local\Temp\5738.tmp" --helpC:\Users\Admin\AppData\Local\Temp\b2540f88d50f47eea407048f20ae3eea.exe 4AAA8D9C8DB8C004B5AB1C8ABA731307432B236ACA2557629FB41DDB7A45D9C0BAB4BF431F45AD5664AEF23E43014FA8852B26FC8DBAA106CCD72DF3E6A8F119
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b2540f88d50f47eea407048f20ae3eea.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5738.tmp

Filesize
465KB

MD5
46668c9a2a4e1c6ccf7ca4af76d0e16b

SHA1
12b525954159dfea94b6a37fcaef0b323d4d2371

SHA256
ac2ecef19caeab22dee18a1a4e9514501f6a5e13353b495dd6a9c577aa1fe450

SHA512
af8a10186e9142580a009cf79f3e50c678248d9dcc5897f671cc308cbe6fd98e64306d30e02560b715a54cb7682a53eaccc1fc026934d3bf1200f6fb27f30306

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2540f88d50f47eea407048f20ae3eea.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1780-26-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-13-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-14-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-17-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-20-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-19-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-21-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-18-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-22-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-24-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-23-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-25-0x00007FFD80060000-0x00007FFD80070000-memory.dmp

Filesize
64KB

Download
memory/1780-27-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-15-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-16-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-28-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-74-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-32-0x00007FFD80060000-0x00007FFD80070000-memory.dmp

Filesize
64KB

Download
memory/1780-33-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-31-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-29-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-55-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-30-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-75-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-77-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-76-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-79-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-78-0x00007FFD82170000-0x00007FFD82180000-memory.dmp

Filesize
64KB

Download
memory/1780-81-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download
memory/1780-80-0x00007FFDC20F0000-0x00007FFDC22E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads