ffd7d9eb5631675f8895e9c0d9695ce820d77e552a7e4d7901880c58fd1d1326

General

Target

f8a617154d5b5ca9c63cc6670997f930N.exe
Size

467KB
MD5

f8a617154d5b5ca9c63cc6670997f930
SHA1

338c0e650ae6d31743f57ea0edb7f7b28372edec
SHA256

ffd7d9eb5631675f8895e9c0d9695ce820d77e552a7e4d7901880c58fd1d1326
SHA512

308869af54ca0a9fd1ea7b88cc3bdd6bd0fff3e45cc3f5c7bfce8d6ff59ef42c84cfa1e5fdb0b181b59d018c16646a37c00caf15e5aada7409ec4884bbe31f9e
SSDEEP

12288:PYO1QIubR5Sv+IfXqbla3TuQLXrmLVXn0YC:gO1Ql5I+If6bla3yQLCZXn0YC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	9637.tmp

Loads dropped DLL 1 IoCs

pid	Process
2536	f8a617154d5b5ca9c63cc6670997f930N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9637.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8a617154d5b5ca9c63cc6670997f930N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1984	9637.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1988	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1984	9637.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	WINWORD.EXE
1988	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1984	2536	f8a617154d5b5ca9c63cc6670997f930N.exe	30
PID 2536 wrote to memory of 1984	2536	f8a617154d5b5ca9c63cc6670997f930N.exe	30
PID 2536 wrote to memory of 1984	2536	f8a617154d5b5ca9c63cc6670997f930N.exe	30
PID 2536 wrote to memory of 1984	2536	f8a617154d5b5ca9c63cc6670997f930N.exe	30
PID 1984 wrote to memory of 1988	1984	9637.tmp	31
PID 1984 wrote to memory of 1988	1984	9637.tmp	31
PID 1984 wrote to memory of 1988	1984	9637.tmp	31
PID 1984 wrote to memory of 1988	1984	9637.tmp	31
PID 1988 wrote to memory of 2964	1988	WINWORD.EXE	33
PID 1988 wrote to memory of 2964	1988	WINWORD.EXE	33
PID 1988 wrote to memory of 2964	1988	WINWORD.EXE	33
PID 1988 wrote to memory of 2964	1988	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\f8a617154d5b5ca9c63cc6670997f930N.exe
"C:\Users\Admin\AppData\Local\Temp\f8a617154d5b5ca9c63cc6670997f930N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\9637.tmp
  "C:\Users\Admin\AppData\Local\Temp\9637.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f8a617154d5b5ca9c63cc6670997f930N.exe 1ECE54D1C6946E58A8B492A1684093D6C1573BDF70AD1F0902E95A89A954090DBB94691F9CEC9F8C9F5C17694B8DD1A944E5329505F49A50522AD0E148618AA5
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f8a617154d5b5ca9c63cc6670997f930N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f8a617154d5b5ca9c63cc6670997f930N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
6e1de6f8257e6ccd7c450218b808dd81

SHA1
9d6fa6b78d2716003ef01459c8c1684740e8bd30

SHA256
7e49d790f20c61c294c0294487e316990a4bc3b9d65a6678dff3ec52b939745f

SHA512
54065d005ede05a434853f63c08611116c6f9e74fdca6c17a7392af3d0c22139ff25dcb412f21ac64d1ca4a0ad93bbf3341caa14e91f2d9d4a283620fa800f6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\9637.tmp

Filesize
467KB

MD5
b63b0e99b3c071ce21e2b823db603db9

SHA1
11e6e7be4bc6df8a697be073ab108a90b4005b66

SHA256
ab77f3188834ecd168517781844e605293b7b27a10e8fc10f94ff058fe5f652b

SHA512
871a6f4cc33cc81c9b6c0c25d7ee8ec5a5efeb699bd54f35cb05dbe6b130a3cd8ed47142a45cc72af2cc6c2d937ddba4f8b9aeb9aa7eac88c7f0f3940104eaf9

Download Submit
memory/1984-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1984-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1988-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1988-15-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/1988-13-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

Filesize
4KB

Download
memory/1988-32-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/1988-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2536-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads