0bf0765457ceef8d7db3a99b425f95e63160c38085bed70d14548a4b384118ab

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a033cd5ed80a51eb8fd5e69b32e4e70N.exe
Size

874KB
MD5

7a033cd5ed80a51eb8fd5e69b32e4e70
SHA1

bdf4b9b6aad18f3e5be6fe551a08a7d46564add9
SHA256

0bf0765457ceef8d7db3a99b425f95e63160c38085bed70d14548a4b384118ab
SHA512

00e04bfc8ff0ce9a989f9e896aa60fcbcd6c82c7571498dc78e1481df88e7c56711b1e05f420897853678509327c8f4e2f06b01fa5500ffbc0321ecb2ef27d7d
SSDEEP

12288:eYIW0p98Oh8P7h8iVBD5MhX3VWec2C9Fy9f/YfYIWuOh8P7h8:uW298E8uiVtyEec2qFy9fkWuE8u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2956	B7F9.tmp

Loads dropped DLL 1 IoCs

pid	Process
800	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B7F9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2956	B7F9.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2060	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	B7F9.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2956	800	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe	30
PID 800 wrote to memory of 2956	800	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe	30
PID 800 wrote to memory of 2956	800	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe	30
PID 800 wrote to memory of 2956	800	7a033cd5ed80a51eb8fd5e69b32e4e70N.exe	30
PID 2956 wrote to memory of 2060	2956	B7F9.tmp	31
PID 2956 wrote to memory of 2060	2956	B7F9.tmp	31
PID 2956 wrote to memory of 2060	2956	B7F9.tmp	31
PID 2956 wrote to memory of 2060	2956	B7F9.tmp	31

C:\Users\Admin\AppData\Local\Temp\7a033cd5ed80a51eb8fd5e69b32e4e70N.exe
"C:\Users\Admin\AppData\Local\Temp\7a033cd5ed80a51eb8fd5e69b32e4e70N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\B7F9.tmp
  "C:\Users\Admin\AppData\Local\Temp\B7F9.tmp" --pingC:\Users\Admin\AppData\Local\Temp\7a033cd5ed80a51eb8fd5e69b32e4e70N.exe A5E5D5F1CE370FDF98969FE264A3451693A20BA6DFFB461D8ADF0AD373A9B9E46D3BEF8D4A8A516C0EBB5CE6B7E4733B04D34FDA5086153A759C8D928264F529
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7a033cd5ed80a51eb8fd5e69b32e4e70N.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7a033cd5ed80a51eb8fd5e69b32e4e70N.docx

Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
\Users\Admin\AppData\Local\Temp\B7F9.tmp

Filesize
874KB

MD5
9c9af294159ea16914164b2c32af5dc6

SHA1
56edfb340d755d8f5f1c57fc5daf5d9d84dedde4

SHA256
63f63ff9355a5dda25c40eeca24c25710efad0506e3b493dff511ffc3a97ea81

SHA512
f6e14b4090858a8f1f5f20a85bfca42460ace2155c67bc337e7147945402833f71d5418a492ecb3d0acb34aef441fc4f5f966178e52012b00cad97998ab7b7bd

Download Submit
memory/2060-7-0x000000002F8B1000-0x000000002F8B2000-memory.dmp

Filesize
4KB

Download
memory/2060-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2060-9-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads