e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553

General

Target

e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe
Size

463KB
MD5

253e32254b23f19285a9bc6dbe751aaa
SHA1

0205aed67c7f81dfb4bcfeda6f1749bcaed6e5d1
SHA256

e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553
SHA512

1145c8337a10c8482d4f1c6e4eeffb7f6af3ecc0a59d5b5221d3de152a757c4baaf1540f2cae3235cc1bba6147ed48e7e6e8d99ed11f6070aba977fabf8739cf
SSDEEP

3072:k5Ua+ZS5apRZUs/626TX6iDoj7yvAIQR1lXA99nbzwj4CrCU2clxyCe8kCnEnGBk:IUBSisTXzDo1IG1lXAbnwj4VGBVniXmW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
40	804	wscript.exe
42	804	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2324	WINWORD.EXE
2324	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE
2324	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4108	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	83
PID 4752 wrote to memory of 4108	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	83
PID 4752 wrote to memory of 4108	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	83
PID 4752 wrote to memory of 4972	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	85
PID 4752 wrote to memory of 4972	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	85
PID 4752 wrote to memory of 4972	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	85
PID 4752 wrote to memory of 1796	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	87
PID 4752 wrote to memory of 1796	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	87
PID 4752 wrote to memory of 1796	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	87
PID 4752 wrote to memory of 3676	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	89
PID 4752 wrote to memory of 3676	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	89
PID 4752 wrote to memory of 3676	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	89
PID 3676 wrote to memory of 3424	3676	cmd.exe	91
PID 3676 wrote to memory of 3424	3676	cmd.exe	91
PID 3676 wrote to memory of 3424	3676	cmd.exe	91
PID 4752 wrote to memory of 3824	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	92
PID 4752 wrote to memory of 3824	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	92
PID 4752 wrote to memory of 3824	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	92
PID 4752 wrote to memory of 3288	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	94
PID 4752 wrote to memory of 3288	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	94
PID 4752 wrote to memory of 3288	4752	e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe	94

C:\Users\Admin\AppData\Local\Temp\e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe
"C:\Users\Admin\AppData\Local\Temp\e8041f7cf09e56247ce8133b7dd3063012917dd0afd8c7882691464caad7c553.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y C:\Users\Admin\16647.ico C:\Users\Admin\AppData\Local\16647.ico.vbs
  2⤵
  PID:4108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo $> C:\Users\Admin\16647.ico
  2⤵
  PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /f C:\Users\Admin\16647.ico
  2⤵
  PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\16647.ico.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\16647.ico.vbs"
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo $> C:\Users\Admin\AppData\Local\16647.ico.vbs
  2⤵
  PID:3824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:3288

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\Favorites\jackal //e:vbscript /joan /jeer /junk //b
1⤵
PID:696

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\Favorites\jacket //e:vbscript /joan /jeer /junk //b
1⤵
- Blocklisted process makes network request
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\16647.ico

Filesize
25KB

MD5
f636a2de43302a6defef0fff0919e0ff

SHA1
81d01cc8cb6f887d3815f3234de0b6b196f6c3f1

SHA256
afe00c934b345f6a6140b5a6cb660855415f5280865eaafceb1380c014837f37

SHA512
1845b52fe853b981d47ef887a194f9bdb7928e52cbca7011811962bcf93860ec790404f26fea45340442b4016c45f381eb66f5fa4ad145163d83d5cf095b609e

Download Submit
C:\Users\Admin\16647.ico

Filesize
3B

MD5
2f427911d9acd25cf3bded62bf1cd7f2

SHA1
0381dbd10dd5645aaa215139dc9d768e7fc3bb38

SHA256
fee7fcc838f20e383ba2b092ee9f511a8c66b7a4f94cc92971ca5b2c27e2dfa5

SHA512
cb7ad329dde4381b6506328a70c33af9024c282b3a25f850de59b9480b37ae62b40412057c510bc560eda64ba958833168af7889a86fc195e1aedf091edc63fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
8515f38fa3bbc573931434a2ce73fb22

SHA1
29f4a4c6046b1a453bc275fdf8f94e7070dca2e0

SHA256
0937f2e276e7941153f5f2f6fa1e6031b123693e3e949c430d0505dd2a619eb4

SHA512
5fc089ac95a721a4dc03fea3a3f316daf80e3f0f3d8239ff641f0bda7c2b50b4c8c5c6ac5c5cd7134d6bf5745a05d30854d7c092614144f0c86d697939faab96

Download Submit
C:\Users\Admin\Favorites\jackal

Filesize
7KB

MD5
9aef84a64cd32530d97c0e87d287d6c2

SHA1
56b27c6fe81744222573e9b1839fabdaa2946f7e

SHA256
52639106ced5880cb3d17b18b52e9042652811d1ee438fd0ca3c893274f7e126

SHA512
e0723279cfef45fdc490b5327f4f84857fb53a13391ffcf8698c15cb1d6f02dcbd93b8f6bfebe336c93b59a6dfc4c94a9b65af16e683e2d0c8f4a12e63c63277

Download Submit
C:\Users\Admin\Favorites\jacket

Filesize
14KB

MD5
af28d433eb93b3b3ba92b072a4c885b1

SHA1
ce91148a6e02279e0a6cf4a31e225518cc5034a9

SHA256
9dd3552087e21228ee2d1c39e0ae11c92eea4efc3bf347146d0c1bb61d6c6f3d

SHA512
9116ee4543b8cd3a1dbb543a9ce66978a1a8aa8f0237c715a7971afceb6eb0b25154999f61d19ef4f05465a4dd1dcd5de91ca294b02c6e4c7cfe7662bb100602

Download Submit
memory/2324-25-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-36-0x00007FF950190000-0x00007FF9501A0000-memory.dmp

Filesize
64KB

Download
memory/2324-24-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-26-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-22-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-23-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-27-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-28-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-29-0x00007FF950190000-0x00007FF9501A0000-memory.dmp

Filesize
64KB

Download
memory/2324-30-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-31-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-32-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-33-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-34-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-35-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-21-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-37-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-38-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-39-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-40-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-41-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-42-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-20-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-19-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-55-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-81-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-82-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-83-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-84-0x00007FF952AF0000-0x00007FF952B00000-memory.dmp

Filesize
64KB

Download
memory/2324-85-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download
memory/2324-86-0x00007FF992A70000-0x00007FF992C65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads