5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 01:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
Size

3.5MB
MD5

2868f61931a02dbbc3590b81aa0e607e
SHA1

aab4aace0e4af4e8b4c78e24c5e731241b8d9751
SHA256

5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a
SHA512

c183b70a445ef2a1e572b2cb761c97e10c4fc9de0581327ec859d1a17cd9879327febadae8d5536b6d9b649cbb6c86b3e73def60d021b2d6a94cda56ab5fbc1a
SSDEEP

98304:oJcUQLUGrupm8ECjd5bzSq6uxlZKL+DIvb+RB07K:GPGZKm8Ee7z7RMiXnF

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2752	irsetup.exe
2140	load.exe

Loads dropped DLL 10 IoCs

pid	Process
1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2140	load.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000173b8-3.dat	upx
behavioral1/memory/1152-46-0x0000000003220000-0x0000000003608000-memory.dmp	upx
behavioral1/memory/2752-52-0x0000000000D50000-0x0000000001138000-memory.dmp	upx
behavioral1/memory/2752-90-0x0000000000D50000-0x0000000001138000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3040	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2752	irsetup.exe
2752	irsetup.exe
3040	WINWORD.EXE
3040	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 1152 wrote to memory of 2752	1152	5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe	30
PID 2752 wrote to memory of 3040	2752	irsetup.exe	31
PID 2752 wrote to memory of 3040	2752	irsetup.exe	31
PID 2752 wrote to memory of 3040	2752	irsetup.exe	31
PID 2752 wrote to memory of 3040	2752	irsetup.exe	31
PID 2752 wrote to memory of 2140	2752	irsetup.exe	32
PID 2752 wrote to memory of 2140	2752	irsetup.exe	32
PID 2752 wrote to memory of 2140	2752	irsetup.exe	32
PID 2752 wrote to memory of 2140	2752	irsetup.exe	32
PID 3040 wrote to memory of 532	3040	WINWORD.EXE	34
PID 3040 wrote to memory of 532	3040	WINWORD.EXE	34
PID 3040 wrote to memory of 532	3040	WINWORD.EXE	34
PID 3040 wrote to memory of 532	3040	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe
"C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1928226 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\5cca916c65c66e18fee71185f716090f8b69894f7a2a9a2a3568f599e6a9882a.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2958949473-3205530200-1453100116-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Public\tmp\document.docx"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:532
- - C:\Users\Public\load.exe
    "C:\Users\Public\load.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2140

Network

DNS

www.tencentcloud.site

load.exe

Remote address:

8.8.8.8:53

Request

www.tencentcloud.site

IN A

Response

No results found

8.8.8.8:53

www.tencentcloud.site

dns

load.exe

67 B
132 B
1
1

DNS Request

www.tencentcloud.site

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a1559d08c9fdfe688478a5cc08ed7691

SHA1
eca898ec540c5eae5f6d042bee551c5a73312b7d

SHA256
af4dfeb39acf6fe9a230b5947926715d25f283ef154a3b077753bd16acbaf879

SHA512
d7abc58a3080d92be27f23895fe11fc07a86f6db8b3098a1ac22e971619c607507eff04c4806bf3328f9801f0ab9dbf470f9bb95f99cc82496013d740ee929db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\Uninstall\uninstall.xml

Filesize
7KB

MD5
f92db87c6a6aec3e316a8a2d01fb42e5

SHA1
5495e8380032937b15b5d6b2396106ef95c0c245

SHA256
82ababa5b07f0e7f8c0d16a92a45e6aafa42ff8f3ff53b6aad855190c61ad912

SHA512
db0f79884cb8331ffd3fd441ada08520b973590d7e0305390e602a5ee1299e807a2b45189f7df9e13292c324a6af95ca9bd61cef715e00852bec1d19a1f8a936

Download Submit
C:\Users\Public\tmp\document.docx

Filesize
1.3MB

MD5
3c864941dbc7c30b91700d20e038db33

SHA1
6d717e5030917bd33ce817b30d61c705a23e72ed

SHA256
8442767b5ed63b7d76b7f8d6738402ef0561fefc811684495ae89ecd05f11ff6

SHA512
10e151c448f28fd5e9a883194a716f81769145de3657c6e152f6b821d252142d8ca713b5d68e915f660a975344331fbf0f50668836999cd97f2cb43dbc34f9a4

Download Submit
C:\Users\Public\tmp\~$cument.docx

Filesize
162B

MD5
e3607c300f8b4d23e10205903b7ad8d5

SHA1
285404c8b6ee1c8fbc4b4ec05f6e842cddb04773

SHA256
8986f5f98a2617dbf5ef61354260003f097253e8b13a72b7ff9cc3d673b94bf6

SHA512
de0aed25da2a1452dd0f3c85a2a9784597f14f69b2a93a2775f9d18d2f6908d5cac8825e2384a9456a20f4d0f9eee4671b57c32b2ef17436d584a7f29a5b0d86

Download Submit
C:\Users\Public\zh-cn

Filesize
289KB

MD5
819f068ac3ba2f08b55c2a0f6b771583

SHA1
3685b6d73f076ea5c8a94c833c0c9ca619807ab2

SHA256
6f817f367849b33de103f1d1a135ed7832874ba2ad42a3fb25f20c71f2db04bf

SHA512
209f77f0a790dff544eb5d1c57b9200ed0676a5be2c98529d85e3f0ce0b613aa395f1274ce70c33998ec0603b3dd4479bc91005c74fbdd35467544902e931c15

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
7eb6266334c70e3ffa235d2571614734

SHA1
de003214a0034ca3dbe9ed35f482f2aaa235c5d7

SHA256
0249a947699c4b9678718905d93811a0abb4e1b9528c405f70102ceea68bb00f

SHA512
f965de30102d1ca4f305379ce719378dc9bf23fb461318558548df9304154636123b4dea8ce19bc339d53f4c0bfc85205807250fe253d763da08105336ecac0d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Public\lang.dll

Filesize
183KB

MD5
13274229a2af30f6e20ee9c0f20108d2

SHA1
a27e58fdcf833206946ce8d92a852782a280d0eb

SHA256
215c9890c3259f3ca89368c12df1691a82516cfd42df1128983ce36047c81273

SHA512
862e9125b19850a6a07e312854ec34492b584b6f7831463aa94e40ba92b3518db2a1b587d7716b2a70860faa891a17110d9805c167ef64a40731b857c6f0f7c6

Download Submit
\Users\Public\load.exe

Filesize
28KB

MD5
16c577b885a3293edb8ac665b2070b42

SHA1
4876900fdb45b6ff78851eb9ed319760f72904f1

SHA256
16dc6ec0d946d0aabfdcf8975dffc5a914ef09c9a6ddc86bd5f8c7030c56e1e2

SHA512
b69dfc1b91063d171f5756d9def0b5616f9871b711305c436e2c6e0a163a98a8ed1dad60dc7dcc2a7ffbe81ae037089f9f7fde448eb5515b34846b04b87050a3

Download Submit
memory/1152-73-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/1152-46-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/1152-47-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/2140-94-0x000007FEBD640000-0x000007FEBD650000-memory.dmp

Filesize
64KB

Download
memory/2140-97-0x0000000000470000-0x00000000008DB000-memory.dmp

Filesize
4.4MB

Download
memory/2752-90-0x0000000000D50000-0x0000000001138000-memory.dmp

Filesize
3.9MB

Download
memory/2752-75-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/2752-52-0x0000000000D50000-0x0000000001138000-memory.dmp

Filesize
3.9MB

Download
memory/3040-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3040-141-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download