c40577e0b5784fb65bcb285d578bd2c8b5dd5ed654edb4c3bee5d8f86e86a50e

General

Target

c40577e0b5784fb65bcb285d578bd2c8b5dd5ed654edb4c3bee5d8f86e86a50e.exe
Size

822KB
MD5

d9d1c819d0e9056e9232e192385ed083
SHA1

b6d384dd28ca55db2417f7ea166d2eb51964be18
SHA256

c40577e0b5784fb65bcb285d578bd2c8b5dd5ed654edb4c3bee5d8f86e86a50e
SHA512

5811754100867b12c40f7094b98faed91fe08dfbea44d49054f6bf6c38aee8de1deaca2b7b8296446411a9cccf241cd83a5f7c79c4ab89c22f2ea74294c42ccb
SSDEEP

12288:MSQfVTWDrgvyZ+MIsomgRMMWXZ+JXHdG/lAc0aoB1Z:GVTcZ+MyshN0ai

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
772	WINWORD.EXE
772	WINWORD.EXE
4556	EXCEL.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
772	WINWORD.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE
4556	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\c40577e0b5784fb65bcb285d578bd2c8b5dd5ed654edb4c3bee5d8f86e86a50e.exe
"C:\Users\Admin\AppData\Local\Temp\c40577e0b5784fb65bcb285d578bd2c8b5dd5ed654edb4c3bee5d8f86e86a50e.exe"
1⤵
PID:1328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2884

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\WriteOut.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:772

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\PushGrant.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
4f9531fad0bd83b0bb68150fd26eae91

SHA1
f7a059a4199eb7686320f7eb48904050edd4403c

SHA256
8bd01e00b2f86f65bab06c6aa63be1a8721ceb5c9730a2903cf00b8d44a825a7

SHA512
f7472cc3ed4ad6f20ad532698aa7cdd25cb7bc4095133e22187bb224a331edd4ca8a7efc85f3487b91f66364ab3c5a22e0033c2cdd189db404afff5389a50988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a16057c0dcc3a41dcfede0e6493b2c96

SHA1
581445ebce0d6bfe029b3c1210b112a185caf1d0

SHA256
143cfa6387eb724f5fd6bd02f82a825f3b66417807cbaf1b020e43708c82e819

SHA512
2c4f0aadb84e39825ef4f5f62e55b221e59a21ca6d23be65851cd34f69081415dc5661218f21a9e7d7b3244780d8fbf79672fda10bbbb13b64a1b4e824f057e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EADF521C-910D-44AE-BF86-C019A87123ED

Filesize
170KB

MD5
c722e480ccf9c5ffb2035fd589582a4f

SHA1
13abe7ef2d842b78589a27eaf8544bbe89489302

SHA256
4be87628e27dc8cb7a536ae4dad9112dd44e057b19a2df1714d0359c95d1d0cc

SHA512
a98ac6474bb249d43ac52a5f6c0e352c1f596a1a6ed10afdf1cd19461adcd2435faaa32cca3932cfd56e74a79e9384806e779ae01fc3ce478e46fa6ce925fab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
c1a28e2db3bc84f3b87a39007ef018f9

SHA1
6d996ea4d8c51570545310bc0453ae5fcd826a90

SHA256
4e21791f8b0e249d372fb48b8f88ff71aecd47e91b0e756fe2976832ab413556

SHA512
1081622b96bb6a7a4ac8bf59d19ddae23c47555b8e5204741676dec405d0db9246c2190618eb9dad175adb4d76bbae290dc14e8b129e2fff4e0b6e8a1cff1d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
9cacbdc8521eb0c4ae683b9c31c8b6a4

SHA1
257f892520c23d5d51e50c97a9be5e28c3337964

SHA256
6a3e8c25fb085d509dc800271da74fc8e763a02aff98b5d844c1a039ed8c821d

SHA512
af7bfed85d38aec01bce75626a9bbdd624ca5b622134637dc90ec9c22e425b6c4dce8c03b44cdddbef4d3157122dc91afab7950679c9bce526f144ae9dea1528

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
254B

MD5
e168af039415385e3a8dd8dd0e80e7bf

SHA1
e245b7424cae0241da04e6635b6250d40a300862

SHA256
cda52e3d9f9146c51a6749ae5536ae8b649482b6348cd816d12e22f92268eafe

SHA512
d7fbedc72c5e5cd2a6d98de60f1b901297b414b6fe2b849da598bfb7306bad6e5b58a046d7dc1516146f6e4b3d3c2c75d4d540fe91940669b5f6e2397ec82c65

Download Submit
memory/772-19-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-18-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-12-0x00007FFD16DD0000-0x00007FFD16DE0000-memory.dmp

Filesize
64KB

Download
memory/772-10-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-14-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-13-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-9-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-7-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-4-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-16-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-15-0x00007FFD16DD0000-0x00007FFD16DE0000-memory.dmp

Filesize
64KB

Download
memory/772-17-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-0-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-21-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-20-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-11-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-50-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-58-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-60-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-59-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-57-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-61-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-3-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-2-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-8-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-6-0x00007FFD19210000-0x00007FFD19220000-memory.dmp

Filesize
64KB

Download
memory/772-5-0x00007FFD59190000-0x00007FFD59385000-memory.dmp

Filesize
2.0MB

Download
memory/772-1-0x00007FFD5922D000-0x00007FFD5922E000-memory.dmp

Filesize
4KB

Download
memory/4556-69-0x00007FFD16DD0000-0x00007FFD16DE0000-memory.dmp

Filesize
64KB

Download
memory/4556-67-0x00007FFD16DD0000-0x00007FFD16DE0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads