f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856

General

Target

f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe
Size

467KB
MD5

2a5ca275231114e49d9829a633a278b1
SHA1

8b1bba15700f18ef6bb7c4cf99d253a73815488a
SHA256

f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856
SHA512

51303d412fd023ccf49b7c363302b4b89da29c6b78193119f610d3c82bb5a91085b5c8933794fed0ae3657b1304f1f5feb01fa7faf4ddc688240d6094ce0fdc2
SSDEEP

6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DLvaI3DdyUHXD+T7BGS7oDwvE:PYO1QIubR5/tdyU3DFS7okvEyC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	3335.tmp

Executes dropped EXE 1 IoCs

pid	Process
3416	3335.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	3335.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4596	WINWORD.EXE
4596	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3416	3335.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3416	4568	f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe	82
PID 4568 wrote to memory of 3416	4568	f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe	82
PID 4568 wrote to memory of 3416	4568	f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe	82
PID 3416 wrote to memory of 4596	3416	3335.tmp	88
PID 3416 wrote to memory of 4596	3416	3335.tmp	88

C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe
"C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Local\Temp\3335.tmp
  "C:\Users\Admin\AppData\Local\Temp\3335.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.exe B933857452C2453ECC8820A667E997BEF6D038ED71ECFA963E225C14A074D0B2D68E74FA4F2B7DC5EBB73F83823C1FC2247AB19F403A7822843EE667A5DC4048
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3335.tmp

Filesize
467KB

MD5
d675b8512a649a72af7c3103f0c10cf4

SHA1
b9806d9b9e39eaf6c035659795d53533e8d6344d

SHA256
5f9784befccf0cd16b0f8cfa382d5fc64c6b0265b16bf5f19ed67a3aa82418f6

SHA512
6dc42dfdf9c4fabbbe94359cbabd6849c08a3336c593b85651d838ac5f07e90e8c07540ed1d0fc2a064d774d9d33be9121880ff8cabd47728314a359bac6dc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD82A4.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f072198b242d7f53e6f531fe71d4a4e14653be2c2c1d8c595903abbe6448a856.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3416-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3416-18-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4568-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4568-5-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4596-29-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-37-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-20-0x00007FFF7E88D000-0x00007FFF7E88E000-memory.dmp

Filesize
4KB

Download
memory/4596-25-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-24-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-26-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-31-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-32-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-30-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-33-0x00007FFF3C010000-0x00007FFF3C020000-memory.dmp

Filesize
64KB

Download
memory/4596-23-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-34-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-35-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-28-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-27-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-22-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-40-0x00007FFF3C010000-0x00007FFF3C020000-memory.dmp

Filesize
64KB

Download
memory/4596-39-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-38-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-36-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-21-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-19-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-541-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-542-0x00007FFF7E88D000-0x00007FFF7E88E000-memory.dmp

Filesize
4KB

Download
memory/4596-543-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-544-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-565-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-566-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-567-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-564-0x00007FFF3E870000-0x00007FFF3E880000-memory.dmp

Filesize
64KB

Download
memory/4596-568-0x00007FFF7E7F0000-0x00007FFF7E9E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads