55072636d7d921379202a652a2fa3f810cfe512bbf1986983208c05afad7ed4c

General

Target

d99579017272a16fe6771f25d2ad9f20N.exe
Size

409KB
MD5

d99579017272a16fe6771f25d2ad9f20
SHA1

e58ad46b41fc267fdbd542244180ce4f9c4630a3
SHA256

55072636d7d921379202a652a2fa3f810cfe512bbf1986983208c05afad7ed4c
SHA512

a7ad6b54275e180d03ed4af6da0d7aa8a7a53b6a1f162a02dd7cace44bfd13f6db1073da02dcb2e9bb514ecd1ec37465039bcadbc0e6a1b2dcfe4aeaf14cf9e7
SSDEEP

6144:ho+k6sXkPV9WBtpypFBK4Tu/66G51Nhz3plon4exBjITQAQsHE1:GrWcDkpFBK4TuqH7lQ4exB0Tdy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	DBBF.tmp

Loads dropped DLL 1 IoCs

pid	Process
2552	d99579017272a16fe6771f25d2ad9f20N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d99579017272a16fe6771f25d2ad9f20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBBF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3052	DBBF.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2688	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3052	DBBF.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	WINWORD.EXE
2688	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 3052	2552	d99579017272a16fe6771f25d2ad9f20N.exe	31
PID 2552 wrote to memory of 3052	2552	d99579017272a16fe6771f25d2ad9f20N.exe	31
PID 2552 wrote to memory of 3052	2552	d99579017272a16fe6771f25d2ad9f20N.exe	31
PID 2552 wrote to memory of 3052	2552	d99579017272a16fe6771f25d2ad9f20N.exe	31
PID 3052 wrote to memory of 2688	3052	DBBF.tmp	32
PID 3052 wrote to memory of 2688	3052	DBBF.tmp	32
PID 3052 wrote to memory of 2688	3052	DBBF.tmp	32
PID 3052 wrote to memory of 2688	3052	DBBF.tmp	32
PID 2688 wrote to memory of 2724	2688	WINWORD.EXE	34
PID 2688 wrote to memory of 2724	2688	WINWORD.EXE	34
PID 2688 wrote to memory of 2724	2688	WINWORD.EXE	34
PID 2688 wrote to memory of 2724	2688	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\d99579017272a16fe6771f25d2ad9f20N.exe
"C:\Users\Admin\AppData\Local\Temp\d99579017272a16fe6771f25d2ad9f20N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\DBBF.tmp
  "C:\Users\Admin\AppData\Local\Temp\DBBF.tmp" --pingC:\Users\Admin\AppData\Local\Temp\d99579017272a16fe6771f25d2ad9f20N.exe BF3ED1D973AD0AF2325605377B0FD250D1BA8B4489DE93607B8B9E82E128CD4D792D872A334E4B11DDB0E39D63ECEB4A6203900B18902BBFA95A70F563671B42
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d99579017272a16fe6771f25d2ad9f20N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d99579017272a16fe6771f25d2ad9f20N.doc

Filesize
21KB

MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
2769f1b1c67e359493975af0a94d24f5

SHA1
e7ab8e75f4ca84920efcb646e46aac371e443b2f

SHA256
7ff73e7522e46fa842dd3e180bde888d8db05747faba1d934140588164380775

SHA512
d1c8c958b16cce50919e4126b60eb4fadb009a7f07e6fc54e33221763280803d2ffdbe2944a4c7797ef64517866b44786bb367bae31c8fdc0d17e14d95a8729f

Download Submit
\Users\Admin\AppData\Local\Temp\DBBF.tmp

Filesize
409KB

MD5
03148648080b37aba5473506764b0e65

SHA1
ab3b9d2283eb34e82ef170c7d5aba3401235af58

SHA256
4ddf22ef7bb2f6c8d48b526493816cb0faf4c5963dfb4bf856a90db667865fdd

SHA512
737b0faa740e6d3bc94e901a1607da2ab946985f0495a7ab3c8e2f9a3a0a6d6a07f81fce298df84dbe09afd6daa17ed246cbf2ae1e2e41ced6a0bcc2751e7e0f

Download Submit
memory/2688-7-0x000000002FE31000-0x000000002FE32000-memory.dmp

Filesize
4KB

Download
memory/2688-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-9-0x000000007357D000-0x0000000073588000-memory.dmp

Filesize
44KB

Download
memory/2688-13-0x000000007357D000-0x0000000073588000-memory.dmp

Filesize
44KB

Download
memory/2688-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads