1724fa5f21ec03ba2a2595979dba9099b9fcb1329ec19020faa7ffd082b4a490

General

Target

912ad03e048e2a658d18b61e2f3e1da0N.exe
Size

517KB
MD5

912ad03e048e2a658d18b61e2f3e1da0
SHA1

97f2b663acd5555aa795b6cdbc19ecda5652298a
SHA256

1724fa5f21ec03ba2a2595979dba9099b9fcb1329ec19020faa7ffd082b4a490
SHA512

9596b7ba981f0d1c18fe58d962d233685c7a1ce354eee57c623c0e963e3e6471351bba17bf9b62c11e18234c3d7b04bd6eb0a54b8852243c291ce9df22708938
SSDEEP

12288:bWBm+95nHfF2mgewFX5R0CH5iFZWCjA5pW2JmrbNLRUVi:bWBz95ndbgfX5aiIPWgA5DorbNLRUVi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1596	B819.tmp

Loads dropped DLL 1 IoCs

pid	Process
1620	912ad03e048e2a658d18b61e2f3e1da0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	912ad03e048e2a658d18b61e2f3e1da0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B819.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1596	B819.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
420	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1596	B819.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
420	WINWORD.EXE
420	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1596	1620	912ad03e048e2a658d18b61e2f3e1da0N.exe	30
PID 1620 wrote to memory of 1596	1620	912ad03e048e2a658d18b61e2f3e1da0N.exe	30
PID 1620 wrote to memory of 1596	1620	912ad03e048e2a658d18b61e2f3e1da0N.exe	30
PID 1620 wrote to memory of 1596	1620	912ad03e048e2a658d18b61e2f3e1da0N.exe	30
PID 1596 wrote to memory of 420	1596	B819.tmp	31
PID 1596 wrote to memory of 420	1596	B819.tmp	31
PID 1596 wrote to memory of 420	1596	B819.tmp	31
PID 1596 wrote to memory of 420	1596	B819.tmp	31
PID 420 wrote to memory of 2840	420	WINWORD.EXE	33
PID 420 wrote to memory of 2840	420	WINWORD.EXE	33
PID 420 wrote to memory of 2840	420	WINWORD.EXE	33
PID 420 wrote to memory of 2840	420	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\912ad03e048e2a658d18b61e2f3e1da0N.exe
"C:\Users\Admin\AppData\Local\Temp\912ad03e048e2a658d18b61e2f3e1da0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\B819.tmp
  "C:\Users\Admin\AppData\Local\Temp\B819.tmp" --pingC:\Users\Admin\AppData\Local\Temp\912ad03e048e2a658d18b61e2f3e1da0N.exe E78E5FE2D7A177C5AE07AB4434B377BEF7397AC8E40F20F6DB2FE2265ED29318A3F7B7A48AF1A7879D3556DC0F62D0AD5F9A4F6CCCF4E0A31EBA1E6B2DC08761
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\912ad03e048e2a658d18b61e2f3e1da0N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\912ad03e048e2a658d18b61e2f3e1da0N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ffe6bc601eed30e07d753c391d4da27d

SHA1
134d9897e7c8746861b311dfde4e8b1391d8b03a

SHA256
38ad57fbb626708b54630f92a6b096422be1f2577457d1cf4ca4b869a1c57377

SHA512
debaf719aa194db11d55d43898f74bc462316427aba19eaaf2fb8c21600d72e80d7357d16b24d2cb2715a3d8af0ddb074db2ef8bdd2303e8c5231ca929f3e451

Download Submit
\Users\Admin\AppData\Local\Temp\B819.tmp

Filesize
517KB

MD5
dcff7099f3cea318907e8445d4c4c1d7

SHA1
6d63a36bc5a5263347644b111b80f4ba217ac9cd

SHA256
821bc38840edd923040d8c0e8cdf288a4ebbef27e9a92ba429e42f4da90248db

SHA512
c4fb9116883b41025558b71b214ebe501bf6293016a59e12aa4ad6d5f64bc5319a4cb9b1a5bedab9534331c55760b628c584fb7eb95ce496ae390915f4476975

Download Submit
memory/420-11-0x000000002F411000-0x000000002F412000-memory.dmp

Filesize
4KB

Download
memory/420-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/420-13-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/420-18-0x00000000715BD000-0x00000000715C8000-memory.dmp

Filesize
44KB

Download
memory/420-33-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1596-7-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1596-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1620-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1620-5-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads