2f12b36fd860ef0601e577ae7df885da24c35bfb36855c7425d72e58b4752876

General

Target

15b8a047b8a35a956c4fe7de2940ea20N.exe
Size

467KB
MD5

15b8a047b8a35a956c4fe7de2940ea20
SHA1

baa2f7a0ad7d054d63f88ff0b87cc2cb594a28f5
SHA256

2f12b36fd860ef0601e577ae7df885da24c35bfb36855c7425d72e58b4752876
SHA512

1069f7541206d9aa9e01d07f4c3aa5d5a1cbf8cc9e2f6f570806597fe838cb49d48f6fa32dcd5966f1c37ac80be77015941cf14f6026326ca6c910cf5b5aef92
SSDEEP

6144:p2jWdaEaa66s8do9PNbn1lfF4jgfg9UwFX5WLnaurGWM78L/i0aC3noyvEmyRsH:pWBm+95nHfF2mgewFX5VCTLG0FYwEE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	22AD.tmp

Loads dropped DLL 1 IoCs

pid	Process
2640	15b8a047b8a35a956c4fe7de2940ea20N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15b8a047b8a35a956c4fe7de2940ea20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22AD.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2656	22AD.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2700	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2656	22AD.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	WINWORD.EXE
2700	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2656	2640	15b8a047b8a35a956c4fe7de2940ea20N.exe	30
PID 2640 wrote to memory of 2656	2640	15b8a047b8a35a956c4fe7de2940ea20N.exe	30
PID 2640 wrote to memory of 2656	2640	15b8a047b8a35a956c4fe7de2940ea20N.exe	30
PID 2640 wrote to memory of 2656	2640	15b8a047b8a35a956c4fe7de2940ea20N.exe	30
PID 2656 wrote to memory of 2700	2656	22AD.tmp	31
PID 2656 wrote to memory of 2700	2656	22AD.tmp	31
PID 2656 wrote to memory of 2700	2656	22AD.tmp	31
PID 2656 wrote to memory of 2700	2656	22AD.tmp	31
PID 2700 wrote to memory of 2172	2700	WINWORD.EXE	33
PID 2700 wrote to memory of 2172	2700	WINWORD.EXE	33
PID 2700 wrote to memory of 2172	2700	WINWORD.EXE	33
PID 2700 wrote to memory of 2172	2700	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\15b8a047b8a35a956c4fe7de2940ea20N.exe
"C:\Users\Admin\AppData\Local\Temp\15b8a047b8a35a956c4fe7de2940ea20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\22AD.tmp
  "C:\Users\Admin\AppData\Local\Temp\22AD.tmp" --pingC:\Users\Admin\AppData\Local\Temp\15b8a047b8a35a956c4fe7de2940ea20N.exe A86F1AA6508C2BA903A9EE45005393072F7A74F0801F2AC025B489C84C140658962E2FBA4EC56FE1EBEDD085E75CD85529D20BEC6B95D7A3000555F4EB6B5810
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\15b8a047b8a35a956c4fe7de2940ea20N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15b8a047b8a35a956c4fe7de2940ea20N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
08da853cd129341a949de6b40fe6f618

SHA1
8ecb9a9bd1c22f16d67369f926083dee775fed39

SHA256
03b642d2cc9b1cb164ef2a0d58478cccffb2f65275d9b1ab5de087a4390bb11b

SHA512
b461e6784b62067be97d77d9a12d40dcf823bd637a5abf37ebbc9e9da8232fa193b67f2f17676ae217c0b7f2464c6c668ceb98b15a26cc0f3e01b2fe895eebd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\22AD.tmp

Filesize
467KB

MD5
43b795126fa8923c6138517a5eceb67a

SHA1
061313c2d9447bbb932f31b24049413568828729

SHA256
cece6e3833db1950f97336f0aaa7b8438b98a14d0695e08da6817a9b8879e246

SHA512
1a8cbbcb9b5fe6f2cfa0dfd074b8c0133efa8d993f7cfb93ebaecc26cd7ad9d2594880c891158ec69b15f41198ae7f437dfb3644de8f16984af79e5a55b7ac83

Download Submit
memory/2640-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2640-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2656-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2656-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2700-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-15-0x000000007154D000-0x0000000071558000-memory.dmp

Filesize
44KB

Download
memory/2700-11-0x000000002F6C1000-0x000000002F6C2000-memory.dmp

Filesize
4KB

Download
memory/2700-32-0x000000007154D000-0x0000000071558000-memory.dmp

Filesize
44KB

Download
memory/2700-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads