d08a0ba6faa8e766562672928624d13ddd38aa1955c7e525f5324c911a969bfe

General

Target

88a77351c802e4ecac290347d5cc8c30N.exe
Size

467KB
MD5

88a77351c802e4ecac290347d5cc8c30
SHA1

ab97671547a30a53043b529957a2d14c2b815d8d
SHA256

d08a0ba6faa8e766562672928624d13ddd38aa1955c7e525f5324c911a969bfe
SHA512

9499c02e1a98d1744f56792d7000cfe8e54887f02e8a575eb5a1cd8429ef29a678415e30b2940ac50b0e9e2ffab73a0dd82b1ee84ec76b61114204e247d73090
SSDEEP

12288:mEpM+9SVpJOvL8v3O55gLjPY9NJIA2gcMkHC:mEpd9SVOT8/O55CqcM+C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	A73C.tmp

Executes dropped EXE 1 IoCs

pid	Process
2636	A73C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings	A73C.tmp

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2636	A73C.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE
528	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 2636	3824	88a77351c802e4ecac290347d5cc8c30N.exe	84
PID 3824 wrote to memory of 2636	3824	88a77351c802e4ecac290347d5cc8c30N.exe	84
PID 3824 wrote to memory of 2636	3824	88a77351c802e4ecac290347d5cc8c30N.exe	84
PID 2636 wrote to memory of 528	2636	A73C.tmp	88
PID 2636 wrote to memory of 528	2636	A73C.tmp	88

C:\Users\Admin\AppData\Local\Temp\88a77351c802e4ecac290347d5cc8c30N.exe
"C:\Users\Admin\AppData\Local\Temp\88a77351c802e4ecac290347d5cc8c30N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\A73C.tmp
  "C:\Users\Admin\AppData\Local\Temp\A73C.tmp" --pingC:\Users\Admin\AppData\Local\Temp\88a77351c802e4ecac290347d5cc8c30N.exe F3508ADD73869565BF3A8AC1014362FC1B99258EEEB903A23E06386CD7799F30B051D6FA0A974CA0292FD91FF1C5CB54211FD8982CA9751DCE3823EB5CC37C65
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\88a77351c802e4ecac290347d5cc8c30N.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88a77351c802e4ecac290347d5cc8c30N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Local\Temp\A73C.tmp

Filesize
467KB

MD5
aefeac7b7e2c469fde84ce335e90f0c0

SHA1
8fe06cbe288cfe13c647aebc64ee9979638d5ae1

SHA256
1ce0cfe25b07cd6faa7d5fb8df70bfff6f71610478188000ecdeb1ad47ba529b

SHA512
4a8897242d36602b9c9c7fae63a8862e92362ab0a9cb940adfe6e6001cdc6d9ac154418e309d4c29337cc9aab27cb488e7d81e7e0d1ff713a665b6f0d0078089

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF4E9.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
30b808f28e14715cfa1c95e2b2080fa2

SHA1
a3f2bf396049ec64a30dac10b29635502a9e7e6e

SHA256
473b43e78c2205e1fd54ec6dafe4cedf5829f9ad164f2b48d9ddd9c7232939f8

SHA512
6565ce00a2b481b69198a2a2ccda967c34d06965a0921e5d62da6c4fdef7598563c7bad1ebe1fa8a890fc8810aa28eb78713ef48bc64e4f81c1f995c2b34a2e1

Download Submit
memory/528-22-0x00007FF88866D000-0x00007FF88866E000-memory.dmp

Filesize
4KB

Download
memory/528-36-0x00007FF8463E0000-0x00007FF8463F0000-memory.dmp

Filesize
64KB

Download
memory/528-19-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-212-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-23-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-25-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-27-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-29-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-31-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-30-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-32-0x00007FF8463E0000-0x00007FF8463F0000-memory.dmp

Filesize
64KB

Download
memory/528-28-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-26-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-24-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-33-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-20-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-37-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-38-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-35-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-34-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-21-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-208-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-211-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-210-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/528-190-0x00007FF8885D0000-0x00007FF8887C5000-memory.dmp

Filesize
2.0MB

Download
memory/528-209-0x00007FF848650000-0x00007FF848660000-memory.dmp

Filesize
64KB

Download
memory/2636-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2636-18-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3824-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3824-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads