83e66109b18d85aaa3797665843ae6664225f0049e8e9430daabfa8c1c0903d7

General

Target

ec988abefad799b3a5cbda4504edc050N.exe
Size

467KB
MD5

ec988abefad799b3a5cbda4504edc050
SHA1

d5a99985eef10ed2bee46f2ef174193c32bcb8f4
SHA256

83e66109b18d85aaa3797665843ae6664225f0049e8e9430daabfa8c1c0903d7
SHA512

8e7ac3e4a905951ecde45187e18232a4bc717004dfbbecdbb216d61d489dc56a3f8e0814792349495def5bc052137cd6abdcde964df2e088f6d819daed10004a
SSDEEP

6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DLhFfUG3xpORuuW3XE+rf+QxB:PYO1QIubR5RF/3rORuuoXEOrkC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	FA46.tmp

Loads dropped DLL 1 IoCs

pid	Process
2684	ec988abefad799b3a5cbda4504edc050N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec988abefad799b3a5cbda4504edc050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FA46.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2756	FA46.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2812	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2756	FA46.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2812	WINWORD.EXE
2812	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2756	2684	ec988abefad799b3a5cbda4504edc050N.exe	30
PID 2684 wrote to memory of 2756	2684	ec988abefad799b3a5cbda4504edc050N.exe	30
PID 2684 wrote to memory of 2756	2684	ec988abefad799b3a5cbda4504edc050N.exe	30
PID 2684 wrote to memory of 2756	2684	ec988abefad799b3a5cbda4504edc050N.exe	30
PID 2756 wrote to memory of 2812	2756	FA46.tmp	31
PID 2756 wrote to memory of 2812	2756	FA46.tmp	31
PID 2756 wrote to memory of 2812	2756	FA46.tmp	31
PID 2756 wrote to memory of 2812	2756	FA46.tmp	31
PID 2812 wrote to memory of 2248	2812	WINWORD.EXE	33
PID 2812 wrote to memory of 2248	2812	WINWORD.EXE	33
PID 2812 wrote to memory of 2248	2812	WINWORD.EXE	33
PID 2812 wrote to memory of 2248	2812	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\ec988abefad799b3a5cbda4504edc050N.exe
"C:\Users\Admin\AppData\Local\Temp\ec988abefad799b3a5cbda4504edc050N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\FA46.tmp
  "C:\Users\Admin\AppData\Local\Temp\FA46.tmp" --pingC:\Users\Admin\AppData\Local\Temp\ec988abefad799b3a5cbda4504edc050N.exe 3353F3862BD48D61A6D143AA5E09AB4E07B5D55EF60FB57FA54D516356D2E323EA294E83C2F4768AD485703083DC528F30515C353E2B5152F8C36573F1D833F4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ec988abefad799b3a5cbda4504edc050N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec988abefad799b3a5cbda4504edc050N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
460e3cf4e318b63a3d7e41050a0064e3

SHA1
901628cf58950f0adff8d51f533e9ef357c8ca26

SHA256
6129d027c3b61832c54fb7138a382ab7563c8df5be2eace38f24b2ecf29ec5b4

SHA512
1ce28e5bd6f1dce43d7ec873ede1bbde616231920e9cb6232976d9598336dee362045f9777a723c3c4beafcd3c8897d09f5f9c2b43bdb40cc40d88be17a1959d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\FA46.tmp

Filesize
467KB

MD5
706707f82f2e53dff055e396087ad8e6

SHA1
e136f44bde30ec5e059118ba72559f8c919be234

SHA256
f53c0a7092c80716842605d0f96ad5966d58e73301ba2b0f7daa13a69c60ed3c

SHA512
d7425a90a12f55af8b4230b0737e99de9d94c96407bc0cf77122898fb1a3ab71768f19137d8c02de18555ed29b39bfc31b826221ef7d9fe1b612de8447dc93df

Download Submit
memory/2684-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2684-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2684-7-0x00000000002C0000-0x000000000033E000-memory.dmp

Filesize
504KB

Download
memory/2756-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2756-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2812-16-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/2812-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2812-33-0x0000000070B6D000-0x0000000070B78000-memory.dmp

Filesize
44KB

Download
memory/2812-14-0x000000002F071000-0x000000002F072000-memory.dmp

Filesize
4KB

Download
memory/2812-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads