68d30412f188fde938dfe42fca412792421eb6bf6888bbd44b0a29ddb40aeafc

General

Target

Hovac_API.dll
Size

302KB
MD5

fd6d62736b57c4cdc6239100d26c7004
SHA1

8f8b33152d5681b49891c340bc80ab677041890c
SHA256

debb42b3017c947881e28ca87ad33dbd47c87d5752daa85975187f99f761c29d
SHA512

4384eba9312667b4aa385dd709b8a4dd5732ae426d1984d8ba6909e998854b1957f8dc42c52bbe16eaf69bd49109f8ba17af54879dc174b43759f8476aaf5522
SSDEEP

6144:pxxiw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFm6axHU+:BkqjVnl36ud0zR/6CtQ9PUHIG8Dn+

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxExec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxExec2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxExec2.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1624	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	mmc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	RobloxExec2.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: 33	2576	mmc.exe
Token: SeIncBasePriorityPrivilege	2576	mmc.exe
Token: SeDebugPrivilege	1920	RobloxExec2.exe
Token: SeDebugPrivilege	3028	RobloxExec2.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2576	mmc.exe
2576	mmc.exe
1624	WINWORD.EXE
1624	WINWORD.EXE
1624	WINWORD.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Hovac_API.dll,#1
1⤵
PID:2296

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\ose00000.exe
"C:\Users\Admin\AppData\Local\Temp\ose00000.exe"
1⤵
PID:1592

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\DisableExpand.docm"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxExec2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c1b9c2d92ece8ae4eeba9121bea892d

SHA1
851e60eed7ef6588d32f0146a10758267a84ca02

SHA256
26099af21fe0b406cf52fc00af54f6ab89b5f40ea1c6ee0f91dbfd5352e019a1

SHA512
a191feeaf8e2d0802b2fcbd426385c5b6ec669605d45d5d35e7becbc6b6bc7c3c5b8d17bb963db19064fd8572863aa0c9b8aeac525a77ad18ef529f2806aea0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a66ed1c9dfbc523a509949b446a58ad1

SHA1
badee25263b746435c4ad2498e8e4a3473af4731

SHA256
4d076a36c94b8ddca0290f0108931c8f3f53294455d6dd1efa723bbae095f7ae

SHA512
e77c80389cdaa564be9611ec22c0231e07c1b16fba7dc401d5d665463b040c7684893b8e2f74839462d19d8ca835ea2bc200325219aaa2c9494e9d50a5161179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cce49eb37f91972d90d623c77cdc649

SHA1
4871a99a452033e5c6c3aa27cbbab382b03a8a8e

SHA256
4af6848fe583d43985df7aa1916d127c5660bdfffaf207ff91e94bcf2afcdb67

SHA512
d53499c2c6b5d74854d1e26bae563018a086b42461effae6ddcde47ea408c129c217aeb105121c461baaf88e259dcb91e2e47a336fd264d20079ea8b9a05b3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab10B5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11A2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
1cc53409655366afc2045a618fbd6f68

SHA1
11e73bfb4cb8740bf210f1451abd0edd0ee72daa

SHA256
a792ae6256cdffa764e739c91e5ff879135cfb8f633578e041e3eb0708aa7ebc

SHA512
9c234bcb518819818dcae285543cfc3bd96f3476b9992f1cf00960346ad1d401184c23c4efd78879e6b216693a27dcdf357bdd55c5848c8725808bc512c94d01

Download Submit
memory/1624-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1920-93-0x0000000004A00000-0x0000000004AB0000-memory.dmp

Filesize
704KB

Download
memory/1920-91-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/1920-92-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/2576-69-0x0000000002460000-0x000000000247E000-memory.dmp

Filesize
120KB

Download
memory/2576-70-0x000000001D3D0000-0x000000001D8A8000-memory.dmp

Filesize
4.8MB

Download
memory/2768-3-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-4-0x0000000004E60000-0x0000000004F10000-memory.dmp

Filesize
704KB

Download
memory/2768-67-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-66-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-68-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2768-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x0000000000520000-0x0000000000572000-memory.dmp

Filesize
328KB

Download
memory/2768-1-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/3028-111-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/3028-112-0x00000000005A0000-0x00000000005F2000-memory.dmp

Filesize
328KB

Download
memory/3028-113-0x00000000057E0000-0x0000000005890000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing