4a9d815f284adda187982e2b24da2beaad860739bc4b4cb1cf26408e7c221dd6

General

Target

$PLUGINSDIR/downloader_nsis_plugin.dll
Size

1.2MB
MD5

f181413906a465fd0dd68cc4a3d98803
SHA1

5aa28be48047dd0b672ab98d5e7cbd8260486b4b
SHA256

e28ff7b8fc4b1eb2d1f394ce15de2fc031cda58db645038c8c07581c31e79dda
SHA512

8d0116bcbc3938b2ebdddf77dec87e4b6c872382d20b555571b0bc3e4a35f88d16bc450004f875a8271165b71bdbae5d4d474a5bfda4c7787da63f4325009c25
SSDEEP

24576:UtF94NRXKCK8gEM4Vn8rHmAumkpF6sBE:Ut/uXTianGmAumkpFe

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4188 4352 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4188	4352	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3152 WINWORD.EXE
3152 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3152 WINWORD.EXE
3152 WINWORD.EXE
3152 WINWORD.EXE
3152 WINWORD.EXE
3152 WINWORD.EXE
3152 WINWORD.EXE
3152 WINWORD.EXE

pid	process
3152	WINWORD.EXE
3152	WINWORD.EXE

pid	process
3152	WINWORD.EXE
3152	WINWORD.EXE
3152	WINWORD.EXE
3152	WINWORD.EXE
3152	WINWORD.EXE
3152	WINWORD.EXE
3152	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1384 wrote to memory of 4352	1384	rundll32.exe	rundll32.exe
PID 1384 wrote to memory of 4352	1384	rundll32.exe	rundll32.exe
PID 1384 wrote to memory of 4352	1384	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\downloader_nsis_plugin.dll,#1
2⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 896
3⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4352 -ip 4352
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3992,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
1f2339051c704c48b25e3e27cfe9b8f5

SHA1
22230e78ae3ca9ebd13fdf59fcfb54bb8f0a40fa

SHA256
5dbe38468bf0444e4df3a9f76eeafda3bdbdbb98d57ad6676e5f50be0e175783

SHA512
8cb33bbec66ad0f250e68bc47829ea561e5b791cde0451eeae293dd2692236d3d65cf23e5015779e2c1976a05e77f23007da8267a3da03683d52ff7fd308ed43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
4f6539f61b9bfaabec0acf12505d6456

SHA1
efb9295d72b52e2d855c951cb04bb54a89d746c5

SHA256
a32beed1300f256fada02e30d709fd8d5c888efa2a3d220ee3651a8598524a2e

SHA512
7955d4e474ad181b24efc80ae7ec734beb7196c975cfb881cc6a5fb23d89fa26491e3c94ea2e3bf2f120c6f8e82d5cb9387058412ff5e757c7d0ba0116b4be7f

Download Submit
memory/3152-9-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-20-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-6-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-8-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-7-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-10-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-13-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-14-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-12-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-11-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-0-0x00007FF821030000-0x00007FF821040000-memory.dmp

Filesize
64KB

Download
memory/3152-15-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-16-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-5-0x00007FF86104D000-0x00007FF86104E000-memory.dmp

Filesize
4KB

Download
memory/3152-19-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-18-0x00007FF81E9C0000-0x00007FF81E9D0000-memory.dmp

Filesize
64KB

Download
memory/3152-17-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-22-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-21-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download
memory/3152-23-0x00007FF81E9C0000-0x00007FF81E9D0000-memory.dmp

Filesize
64KB

Download
memory/3152-4-0x00007FF821030000-0x00007FF821040000-memory.dmp

Filesize
64KB

Download
memory/3152-3-0x00007FF821030000-0x00007FF821040000-memory.dmp

Filesize
64KB

Download
memory/3152-2-0x00007FF821030000-0x00007FF821040000-memory.dmp

Filesize
64KB

Download
memory/3152-1-0x00007FF821030000-0x00007FF821040000-memory.dmp

Filesize
64KB

Download
memory/3152-537-0x00007FF860FB0000-0x00007FF8611A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads