182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c

General

Target

182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe
Size

576KB
MD5

8c76b929ddab15068a9ac089fded0f81
SHA1

b222afc7e6c4473a624d140d6b6f7abacb4713a7
SHA256

182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c
SHA512

9c3c240f275be257b8f5fddf173f9ee562b3a41c75ff499d84623eb78bb08bbc4de06744cd267eb371a5a7c939e0902522deca8d85c9c5d63c3cd5f8609d5ec9
SSDEEP

12288:sYIW0p98Oh8P7h8IGLbPC3YaBeZmj/Kvo/u:gW298E8u/LbKIiUmj/Kvo/u

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	E782.tmp

Loads dropped DLL 1 IoCs

pid	Process
2772	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E782.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	E782.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2888	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2812	E782.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE
2888	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2812	2772	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe	31
PID 2772 wrote to memory of 2812	2772	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe	31
PID 2772 wrote to memory of 2812	2772	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe	31
PID 2772 wrote to memory of 2812	2772	182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe	31
PID 2812 wrote to memory of 2888	2812	E782.tmp	32
PID 2812 wrote to memory of 2888	2812	E782.tmp	32
PID 2812 wrote to memory of 2888	2812	E782.tmp	32
PID 2812 wrote to memory of 2888	2812	E782.tmp	32

C:\Users\Admin\AppData\Local\Temp\182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe
"C:\Users\Admin\AppData\Local\Temp\182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\E782.tmp
  "C:\Users\Admin\AppData\Local\Temp\E782.tmp" --pingC:\Users\Admin\AppData\Local\Temp\182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.exe D759C537D48BB7A4FD4258F60347315B648662EC998742E2D3E120220AA881376B336C7F7072A7489F17830D694F887FDFE8398AD5425F19918F16AA484B7D19
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.docx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\182fa8751291fab0c72a7634e8c7456410a3a4ac6dbbd17ffe6af30d4d52124c.docx

Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E782.tmp

Filesize
576KB

MD5
d0b46d8aa16dee06a6ee0f8997a5e985

SHA1
8f77363230cee682f03c0cd817229a0789997c30

SHA256
9111e6823cdd58cc2f506348611db3401deac65f4bddc182fd2c14e906d236c1

SHA512
709d4455608e8bfcc75020205b8973595abbdec59a52818f7ca4e7fbdae5f4dcc83797c745658e5037532fd1502388b87d9b6a6030e06238a716c0395c766401

Download Submit
memory/2888-7-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

Filesize
4KB

Download
memory/2888-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2888-9-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download
memory/2888-12-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads