277705bad5bc284a94718bd295cc9c58cd34fa95d0f5ad755d499d213b9733e2

General

Target

9bb9440b291b1b9e2970ac0a67ee13a0N.exe
Size

409KB
MD5

9bb9440b291b1b9e2970ac0a67ee13a0
SHA1

30823a4f3ff575df248449c98fd00321ccbf2c07
SHA256

277705bad5bc284a94718bd295cc9c58cd34fa95d0f5ad755d499d213b9733e2
SHA512

364e5ff1aa686a2d5bd9c5a1c5ac9cfcf68459cd434408145021dcb449e2b700b1ec0b5711130bf4bda8735995082ed5535f224a7ea73b8e82ac2f308ff0b468
SSDEEP

6144:ho+k6sXkPV9WBtpypFBK4Tu/6xGjxi/LCeRjOQQ97aJ/ETLM42HSCT55GQCVsHE1:GrWcDkpFBK4TuEGqRsVrTLN+bGQCKy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	4C7B.tmp

Loads dropped DLL 1 IoCs

pid	Process
2332	9bb9440b291b1b9e2970ac0a67ee13a0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bb9440b291b1b9e2970ac0a67ee13a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4C7B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2248	4C7B.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2800	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2248	4C7B.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	WINWORD.EXE
2800	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2248	2332	9bb9440b291b1b9e2970ac0a67ee13a0N.exe	30
PID 2332 wrote to memory of 2248	2332	9bb9440b291b1b9e2970ac0a67ee13a0N.exe	30
PID 2332 wrote to memory of 2248	2332	9bb9440b291b1b9e2970ac0a67ee13a0N.exe	30
PID 2332 wrote to memory of 2248	2332	9bb9440b291b1b9e2970ac0a67ee13a0N.exe	30
PID 2248 wrote to memory of 2800	2248	4C7B.tmp	31
PID 2248 wrote to memory of 2800	2248	4C7B.tmp	31
PID 2248 wrote to memory of 2800	2248	4C7B.tmp	31
PID 2248 wrote to memory of 2800	2248	4C7B.tmp	31
PID 2800 wrote to memory of 2608	2800	WINWORD.EXE	33
PID 2800 wrote to memory of 2608	2800	WINWORD.EXE	33
PID 2800 wrote to memory of 2608	2800	WINWORD.EXE	33
PID 2800 wrote to memory of 2608	2800	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\9bb9440b291b1b9e2970ac0a67ee13a0N.exe
"C:\Users\Admin\AppData\Local\Temp\9bb9440b291b1b9e2970ac0a67ee13a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\4C7B.tmp
  "C:\Users\Admin\AppData\Local\Temp\4C7B.tmp" --pingC:\Users\Admin\AppData\Local\Temp\9bb9440b291b1b9e2970ac0a67ee13a0N.exe BFB1B589B1BE3E0348E8EDEF644C9F3C1841332E340C63151C3A3DD649A3AE23F884041699461147CEA9EA96759E8FD4CAF72B2D44FB67DD012D70AE90074E7C
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9bb9440b291b1b9e2970ac0a67ee13a0N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9bb9440b291b1b9e2970ac0a67ee13a0N.doc

Filesize
21KB

MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ec90c2afd42e27589abd8bf21ec176f9

SHA1
9ebe89f030ed1d2ea87e0de69af73987741c9b67

SHA256
333fedbb218e7438d4fbe0c2579689f5a2a5236b76f7cbeb2a7914b4699a9ff1

SHA512
a11cc253b837b04700d00943e37a25610c7211cc208d49d8c103362fd797e85dfd925bdeba1a8bc603537955468da1e6bea5db89f6f545425f331d7960df0332

Download Submit
\Users\Admin\AppData\Local\Temp\4C7B.tmp

Filesize
409KB

MD5
f78a5ba10dff54b615d37204a1e1a5dd

SHA1
62c970a09f753df563ff7d47c06f8b3ae3bb8cce

SHA256
cc6a8ed913ea9f37c4d0ea412131aeae4951ad5dccc0bd0aa1bb45a87b6ced63

SHA512
8c715885d521b77883e40f18c236e72ce6d43c41146f1dc05fcb41a34e4ffea2c8d5fa9b79c1610fdac4178765ec9119977205bd4f8e4e5a008080a36491f686

Download Submit
memory/2800-7-0x000000002F541000-0x000000002F542000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2800-9-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2800-14-0x0000000070D9D000-0x0000000070DA8000-memory.dmp

Filesize
44KB

Download
memory/2800-29-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads