75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa

General

Target

75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe
Size

409KB
MD5

095d9e6e0d472d3c91ec718b33009dce
SHA1

e98990a6bc24b276b669b45edf1d1a6f570e0a7a
SHA256

75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa
SHA512

31f1847f2662ee91eeee40a7d689d0a04a80d8b63e23f6a8a46056f20df7b3c23317789cc9956fa2f17dd687c38ee619181a5aa888f842875e23da76dc326381
SSDEEP

6144:ho+k6sXkPV9WBtpypFBK4Tu/6oIx6SCxHlugp6QcHul5CTVhUgPbg+vPLsHEF:GrWcDkpFBK4Tu2xYHlB6HHggTHVP8i4q

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	686E.tmp

Executes dropped EXE 1 IoCs

pid	Process
832	686E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	686E.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3748	WINWORD.EXE
3748	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
832	686E.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3748	WINWORD.EXE
3748	WINWORD.EXE
3748	WINWORD.EXE
3748	WINWORD.EXE
3748	WINWORD.EXE
3748	WINWORD.EXE
3748	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 832	2348	75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe	89
PID 2348 wrote to memory of 832	2348	75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe	89
PID 2348 wrote to memory of 832	2348	75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe	89
PID 832 wrote to memory of 3748	832	686E.tmp	96
PID 832 wrote to memory of 3748	832	686E.tmp	96

C:\Users\Admin\AppData\Local\Temp\75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe
"C:\Users\Admin\AppData\Local\Temp\75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\686E.tmp
  "C:\Users\Admin\AppData\Local\Temp\686E.tmp" --pingC:\Users\Admin\AppData\Local\Temp\75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.exe E40394C79B00C62EBD1E0227594279EDA3B968C009D0C1CC13E6FC895F3CEA86C57DD6A687EC5A8625C4E64619DB209FA8FE4E058D3238B3089CCBA30E498FDA
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\686E.tmp

Filesize
409KB

MD5
3b343bea2b9d47c3975deb91c877e2ad

SHA1
44a7c6e4b1de26025565f6f6d8bb856d68bb6578

SHA256
5808f49b357f71dbd374c482b3d3b6c40e288660b484d662ee4856116766cffb

SHA512
68b36390eb8ce08d30e68f9e8a1a1caa09e07784d6f545b61c72058b90a2f7f224955ebe444d8eae855110fc87e10affbc419ccf57b5c66af5900dfc02fe1ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\75ddeb62e1684dec3afe4775a0f88493259c60cccd8506d05223b4719a2e70aa.doc

Filesize
21KB

MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC1C1.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
memory/3748-25-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-26-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmp

Filesize
64KB

Download
memory/3748-16-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-18-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-19-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-20-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-21-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-17-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-22-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-24-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-23-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-14-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-27-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-15-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-28-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-29-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-31-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-30-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-32-0x00007FFCB72F0000-0x00007FFCB7300000-memory.dmp

Filesize
64KB

Download
memory/3748-13-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-527-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download
memory/3748-547-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-548-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-549-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-550-0x00007FFCB9490000-0x00007FFCB94A0000-memory.dmp

Filesize
64KB

Download
memory/3748-551-0x00007FFCF9410000-0x00007FFCF9605000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads