a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da

General

Target

a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe
Size

874KB
MD5

b1dcbcd025064b9ce31d7e69fdb95498
SHA1

7d63451cddb191dda793d26a8f3cee7b1836853c
SHA256

a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da
SHA512

5c5bd822189ee8f1735794246740eb1e071ebc34e3583c1c2c9340a12aeb4ec7f1c89e630fe218bfc1216ee92089079bfd7407d26c462615cdbf256f957206e3
SSDEEP

12288:eYIW0p98Oh8P7h8gsDTdusQSIW6kYAL8Or9f/YfYIWuOh8P7h8:uW298E8ugmkoP79fkWuE8u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	94EF.tmp

Loads dropped DLL 1 IoCs

pid	Process
2972	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94EF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2352	94EF.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1948	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	94EF.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1948	WINWORD.EXE
1948	WINWORD.EXE
1948	WINWORD.EXE
1948	WINWORD.EXE
1948	WINWORD.EXE
1948	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2352	2972	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe	29
PID 2972 wrote to memory of 2352	2972	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe	29
PID 2972 wrote to memory of 2352	2972	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe	29
PID 2972 wrote to memory of 2352	2972	a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe	29
PID 2352 wrote to memory of 1948	2352	94EF.tmp	30
PID 2352 wrote to memory of 1948	2352	94EF.tmp	30
PID 2352 wrote to memory of 1948	2352	94EF.tmp	30
PID 2352 wrote to memory of 1948	2352	94EF.tmp	30

C:\Users\Admin\AppData\Local\Temp\a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe
"C:\Users\Admin\AppData\Local\Temp\a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\94EF.tmp
  "C:\Users\Admin\AppData\Local\Temp\94EF.tmp" --pingC:\Users\Admin\AppData\Local\Temp\a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.exe 877A9BD690347F0E79A7A604BE92EA031F030570D00DF8A9DC1FACDCC67A388653C6D9CADAF5CB9D7798DAD7EB320B3E007B11DFEA33066D8552D7AF1DE75E1F
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94EF.tmp

Filesize
874KB

MD5
5e831cf22237377f6cbb82cc5a2dccab

SHA1
a3d981a9313cfd555980917edc7bea8037728759

SHA256
a85dcf893221ee02c3c9baf9207eb326c79759062c080becc8984ce944f71c9f

SHA512
eb16e8c9b4f1f8bacc7a72cc0065863800c22bb7bb7536c29ccb744068ee40475b65415e2c29a82bd2b7590e3ccd208c03984225ca221800c6b2c53e7cc6c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0a2bf37b9d3e667318930875879fdc553c4d93b7dc16cc972d844f10ca015da.docx

Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
memory/1948-9-0x00000000716ED000-0x00000000716F8000-memory.dmp

Filesize
44KB

Download
memory/1948-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1948-7-0x000000002F031000-0x000000002F032000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads