9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36

General

Target

9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe
Size

576KB
MD5

b1b81df0c453cbcc2764e016c3722402
SHA1

511c111a2c7eb8e21bfba17020df685f394283e7
SHA256

9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36
SHA512

865df6bcb2e9a928912aae83a48ab46a0f4d6df0c537d2fd00d23bf0f16a080700e4b28229e8da4b61c2b3d04460efc9ae573715a9a716758314459524adcadf
SSDEEP

12288:yYIW0p98Oh8P7h8r64DtAq/lYlc+4jIJirOoB/4uMe2r:qW298E8u+4BAqtqc+4eir5B/4uMe2r

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2384	9A2D.tmp

Loads dropped DLL 1 IoCs

pid	Process
620	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9A2D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2384	9A2D.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2380	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2384	9A2D.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE
2380	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2384	620	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe	30
PID 620 wrote to memory of 2384	620	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe	30
PID 620 wrote to memory of 2384	620	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe	30
PID 620 wrote to memory of 2384	620	9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe	30
PID 2384 wrote to memory of 2380	2384	9A2D.tmp	31
PID 2384 wrote to memory of 2380	2384	9A2D.tmp	31
PID 2384 wrote to memory of 2380	2384	9A2D.tmp	31
PID 2384 wrote to memory of 2380	2384	9A2D.tmp	31

C:\Users\Admin\AppData\Local\Temp\9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe
"C:\Users\Admin\AppData\Local\Temp\9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\9A2D.tmp
  "C:\Users\Admin\AppData\Local\Temp\9A2D.tmp" --pingC:\Users\Admin\AppData\Local\Temp\9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.exe 37D7EF2C8CA10C53F5D55EAEF9B8E10F9C08D4568A959AA53CFD02132331D6F39C0EEDB4D4EFBF7E5FE7ED248672F81F5E68DAA4BDB8A2B1F7DF87F68CD22C58
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9e250da738666881a4da906d129530b10cd23368b1ffdccb1b0b48b3ec677c36.docx

Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
\Users\Admin\AppData\Local\Temp\9A2D.tmp

Filesize
576KB

MD5
038d8a552412c4f9c057dc66328885af

SHA1
14e1cd34d2310f825c5f72589d16c08111441dbe

SHA256
dc5e5350938f07419f78d2682b1b8745d777a95d0704a29fbb563500885f39eb

SHA512
a157e12f97516ddb91980df42ebc78e2f1f7d1282221136f54bd531c44c89c3abad82ae260a6284700cc1c428bc77f55154a6fd0a639e09f7bb106ebabac75b4

Download Submit
memory/2380-7-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2380-9-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2380-12-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads