15d334379046a206f2daaf3af56cb6ced0f33ead1c7192725cb55ecbd97592dc

General

Target

267eb69ab36b183ba1f89f13b5015a40N.exe
Size

467KB
MD5

267eb69ab36b183ba1f89f13b5015a40
SHA1

e5dfe2983836567b89fa5e2d5df069cd2d572f83
SHA256

15d334379046a206f2daaf3af56cb6ced0f33ead1c7192725cb55ecbd97592dc
SHA512

370d610acf2ca9ceb2d72b9bd0d8a2f9cbd51dc5ff54cb858c581a30910ac3cd71985f58c95aa1d0060c6266e7636ba361794e3dde52b0c0f9fd5899d2f694a5
SSDEEP

6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DL6pVqvp+OsCZOl89TFfE6x30:PYO1QIubR5KWc9uo6TFTqCC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	787C.tmp

Executes dropped EXE 1 IoCs

pid	Process
1104	787C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	787C.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4700	WINWORD.EXE
4700	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1104	787C.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE
4700	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 1104	380	267eb69ab36b183ba1f89f13b5015a40N.exe	85
PID 380 wrote to memory of 1104	380	267eb69ab36b183ba1f89f13b5015a40N.exe	85
PID 380 wrote to memory of 1104	380	267eb69ab36b183ba1f89f13b5015a40N.exe	85
PID 1104 wrote to memory of 4700	1104	787C.tmp	89
PID 1104 wrote to memory of 4700	1104	787C.tmp	89

C:\Users\Admin\AppData\Local\Temp\267eb69ab36b183ba1f89f13b5015a40N.exe
"C:\Users\Admin\AppData\Local\Temp\267eb69ab36b183ba1f89f13b5015a40N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\787C.tmp
  "C:\Users\Admin\AppData\Local\Temp\787C.tmp" --pingC:\Users\Admin\AppData\Local\Temp\267eb69ab36b183ba1f89f13b5015a40N.exe 04D39FB0B03C6EC25777089D2A0B30838CAF0C4421834D5817602C1C23674596B4124313F7654DAA9ABA0989A28C1A5BF58C643E7CC9499C01CF924E3BB1D0E7
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\267eb69ab36b183ba1f89f13b5015a40N.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\267eb69ab36b183ba1f89f13b5015a40N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Local\Temp\787C.tmp

Filesize
467KB

MD5
2eb69af5b460833c405dab54037470f5

SHA1
59632949b0064ec301b5f560c8c0935b2a5defd6

SHA256
2b7a8a8bcc06ac0a4edfa8a4bcdb62b10f498cbe2ff1635946b7a3fd8f049b4f

SHA512
d7d20fea79136180592474df1a143914b06bd6051f9573f3fb4ef30ff1e9f37131f026c5bee02e30faf6f7841b32d9eb88bf3d8da5358a83ad5e722eef9f9349

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC712.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/380-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/380-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1104-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1104-16-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4700-29-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-35-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-20-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-22-0x00007FFE0D28D000-0x00007FFE0D28E000-memory.dmp

Filesize
4KB

Download
memory/4700-23-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-24-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-25-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-26-0x00007FFDCAF70000-0x00007FFDCAF80000-memory.dmp

Filesize
64KB

Download
memory/4700-27-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-30-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-18-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-28-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-33-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-21-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-38-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-37-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-36-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-34-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-32-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-31-0x00007FFDCAF70000-0x00007FFDCAF80000-memory.dmp

Filesize
64KB

Download
memory/4700-19-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-17-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-535-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4700-553-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-554-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-556-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-555-0x00007FFDCD270000-0x00007FFDCD280000-memory.dmp

Filesize
64KB

Download
memory/4700-557-0x00007FFE0D1F0000-0x00007FFE0D3E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads