e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5

General

Target

e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe
Size

2.0MB
MD5

0fa75e9407747ae697433ec5d5f732bb
SHA1

1ef9328053fae90b015cbbf31a693ec1bfbbd0d1
SHA256

e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5
SHA512

4b6ef2e974d3fe19ac8cc6d2ecf888edda6dac772ad74ce68edab39a93dba5b5387c95663df7da1bf2399b7cce92fce48a331812872ba9664088f301f9d1a76e
SSDEEP

49152:r+CQS88KQUnnhs3YMuQIIUf3MaoOTNz5DZb5YRtLLy+z:6S8jQIq3YML+FoOTNVZtYRt3y

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1572	A19C.tmp

Loads dropped DLL 1 IoCs

pid	Process
1196	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A19C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1572	A19C.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2196	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1572	A19C.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2196	WINWORD.EXE
2196	WINWORD.EXE
2196	WINWORD.EXE
2196	WINWORD.EXE
2196	WINWORD.EXE
2196	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1572	1196	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe	30
PID 1196 wrote to memory of 1572	1196	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe	30
PID 1196 wrote to memory of 1572	1196	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe	30
PID 1196 wrote to memory of 1572	1196	e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe	30
PID 1572 wrote to memory of 2196	1572	A19C.tmp	31
PID 1572 wrote to memory of 2196	1572	A19C.tmp	31
PID 1572 wrote to memory of 2196	1572	A19C.tmp	31
PID 1572 wrote to memory of 2196	1572	A19C.tmp	31

C:\Users\Admin\AppData\Local\Temp\e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe
"C:\Users\Admin\AppData\Local\Temp\e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\A19C.tmp
  "C:\Users\Admin\AppData\Local\Temp\A19C.tmp" --pingC:\Users\Admin\AppData\Local\Temp\e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.exe 1779663547445A60331ABF3D2D6D17DC3572E3899F322EBA57EA3A1DAC4F9D937390FEF7B3A1B77077F0D686B775FAD280C043D254B7109F0DF65A6E8E4A5217
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e9851a1308c94d3662e2cf5b7086679aefb2a63d6454459cfceb033585d12be5.docx

Filesize
21KB

MD5
e4098a63fecda5bb888f9714395acbc6

SHA1
0873005b98c70398e067eedf265a91214aca400e

SHA256
acbc1966b31286bfa107541100ba4075af342a12bcbee0baecfbdad941e73fa6

SHA512
64299baf51ffa5fc0fed933f1ee02dbb23b6ca9c8081be122462f3de3dffb74e2c103876e449a193689765bcd504aa1b2f798972112aae73bcfab14eb62e9322

Download Submit
\Users\Admin\AppData\Local\Temp\A19C.tmp

Filesize
2.0MB

MD5
d2da6e8dd6c55a4484877c6bdae2116a

SHA1
114816c2fc662be6099d8fe96c58db572c3d97e3

SHA256
f0185f43f4107e6daa496d2b5e953d29df87a8fe0ec2854061caa60015f5716b

SHA512
0be4b33896f030336ec4c8336b314a1653866ab359c50b6d03417c4592fd748feb198a694bd1261c8738f9f861ee46145ba74542948ff44b948f21fbc94240e7

Download Submit
memory/2196-7-0x000000002F2E1000-0x000000002F2E2000-memory.dmp

Filesize
4KB

Download
memory/2196-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2196-9-0x000000007133D000-0x0000000071348000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads