b5dd438bac149b3e8a508a3ba0f1aa2dd92546f44e23092a702b8f99e37dce72

General

Target

775823ac0f200964ea5033ded918c310N.exe
Size

1006KB
MD5

775823ac0f200964ea5033ded918c310
SHA1

197e202b215fc701ab242185011087b7f1de5458
SHA256

b5dd438bac149b3e8a508a3ba0f1aa2dd92546f44e23092a702b8f99e37dce72
SHA512

8365a1a8b9b246d5d2bcba23441cf0ad4f29223b75a6ccb8f0394e62140b335ae0f54e4377ceca60775847b3b0652501dc16312e2a2450071dd885a9ed3dabf2
SSDEEP

24576:SgV83LzXYJLKSMech6ispJzc5YYmsRr6ylMwpbdgaocZ0bD:SgVLKRWTQ6Zs5DhgPf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	775823ac0f200964ea5033ded918c310N.~01

Loads dropped DLL 1 IoCs

pid	Process
3612	775823ac0f200964ea5033ded918c310N.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SYSLIB32.DLL	775823ac0f200964ea5033ded918c310N.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.TOA	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INSPECTOROFFICEGADGET.FEE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MAVINJECT32.EXE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZG.EXE	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.JFS	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INSPECTOROFFICEGADGET.EXE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INTEGRATEDOFFICE.OHJ	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MAVINJECT32.TMF	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.EXE	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INTEGRATEDOFFICE.OHJ	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\7-ZIP\7Z.TOA	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.EXE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZFM.EXE	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\7-ZIP\7ZG.GEB	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVCLEANER.LRC	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVCLEANER.EXE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INTEGRATEDOFFICE.EXE	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MAVINJECT32.TMF	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\7-ZIP\7ZFM.RCQ	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZFM.RCQ	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZG.GEB	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVCLEANER.LRC	775823ac0f200964ea5033ded918c310N.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\APPVSHNOTIFY.JFS	775823ac0f200964ea5033ded918c310N.exe
File created	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\INSPECTOROFFICEGADGET.FEE	775823ac0f200964ea5033ded918c310N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	775823ac0f200964ea5033ded918c310N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3612	775823ac0f200964ea5033ded918c310N.exe

C:\Users\Admin\AppData\Local\Temp\775823ac0f200964ea5033ded918c310N.exe
"C:\Users\Admin\AppData\Local\Temp\775823ac0f200964ea5033ded918c310N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3612
- C:\Users\Admin\AppData\Local\Temp\775823ac0f200964ea5033ded918c310N.~01
  C:\Users\Admin\AppData\Local\Temp\775823ac0f200964ea5033ded918c310N.~01
  2⤵
  - Executes dropped EXE
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\775823ac0f200964ea5033ded918c310N.~01

Filesize
977KB

MD5
6fb65b639646a9c39980a10e979fb997

SHA1
580e75a4d187caf25e6ec5d89a0683c449cd43f7

SHA256
f6a02dca6c0144f041c6b9519374ea3fc16fc21699f8d38c1714d7e45874d4bd

SHA512
4f67da4c6119583b75939933311329d79d1c2f1ff9e449340139fd00e0d7b84ca5f8df9255d70abd58749310517b5c8c01d743f686e22ac6655471299eefe6cb

Download Submit
C:\Windows\SysWOW64\SYSLIB32.DLL

Filesize
4KB

MD5
6e73cb58137d97124ee2586b74d3bd49

SHA1
3a7c23eb151b19a9cd111b81b087fdce5a96725c

SHA256
7d15b0e888c40b3e229fb43d5f2274e4822e92c3ba61bd622e045d233721d6e9

SHA512
93ebd1a7d312486f8c2d91f84f57f3c2ca3b745c75b457ae20c437b64951341c71deb45e58f906e8b0d3235912e0c31e296cf925fe496d4e81a69c78b5f414e4

Download Submit
memory/3612-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-10-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/3612-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-34-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing