8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
63s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-09-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

vlc.exeWINWORD.EXE

pid process

2892 vlc.exe
1356 WINWORD.EXE
1356 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2892 vlc.exe
Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

vlc.exe

pid process

2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe
2892 vlc.exe

pid	process
2892	vlc.exe
1356	WINWORD.EXE
1356	WINWORD.EXE

pid	process
2892	vlc.exe

pid	process
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe

pid	process
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe
2892	vlc.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

dl2.exedl2.exevlc.exeWINWORD.EXE

pid	process
2876	dl2.exe
4820	dl2.exe
2892	vlc.exe
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE
1356	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {E912DEC8-B93E-44AF-A5D0-3354DCFD132A}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SaveInitialize.3g2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ResumeMount.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
383B

MD5
83fd46c0ec8fa7a17af7f2fa35c90b5b

SHA1
89236fb68edb9a16c5d159ad4e8b77aac838c2e9

SHA256
be45c53a3db8c50cdc1ce818dac95a32cf33583af5fbae2beef3bb54e829467c

SHA512
9b065d51eb044a4f505e31bc73878cbbb2d2783aea50d5d46468416ec96134e9cf86eb27b2190d1f9c4977be58fe6a678eb9683512276096e06ab26fccd85778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
7d1daf090d3112a284c3e8083f7b0132

SHA1
0bd0cf16a1c08529e5b8c1b1bb3bbe672d872e15

SHA256
3b8fa168da77dc526bdae9367cfad86c06e9dcfd7d873b946a184442f1f820fb

SHA512
bd2e27259b454c85c7d5a68793cf3b1a1f730da1807aa63f27b648873e57cfea1dda0380ba6357d4e31e2a704ddbb8914ad7356f470227d257f08b6c4aa01c36

Download Submit
memory/2876-1-0x0000000002260000-0x0000000002290000-memory.dmp

Filesize
192KB

Download
memory/2876-8-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2876-18-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2892-35-0x00007FF93E830000-0x00007FF93E841000-memory.dmp

Filesize
68KB

Download
memory/2892-45-0x00007FF92F9C0000-0x00007FF92F9D2000-memory.dmp

Filesize
72KB

Download
memory/2892-28-0x00007FF942360000-0x00007FF942371000-memory.dmp

Filesize
68KB

Download
memory/2892-27-0x00007FF942500000-0x00007FF94251D000-memory.dmp

Filesize
116KB

Download
memory/2892-21-0x00007FF931960000-0x00007FF931C16000-memory.dmp

Filesize
2.7MB

Download
memory/2892-26-0x00007FF9426D0000-0x00007FF9426E1000-memory.dmp

Filesize
68KB

Download
memory/2892-30-0x00007FF93E8C0000-0x00007FF93E901000-memory.dmp

Filesize
260KB

Download
memory/2892-29-0x00007FF930F90000-0x00007FF93119B000-memory.dmp

Filesize
2.0MB

Download
memory/2892-25-0x00007FF9435E0000-0x00007FF9435F7000-memory.dmp

Filesize
92KB

Download
memory/2892-24-0x00007FF945FF0000-0x00007FF946001000-memory.dmp

Filesize
68KB

Download
memory/2892-23-0x00007FF9463D0000-0x00007FF9463E7000-memory.dmp

Filesize
92KB

Download
memory/2892-22-0x00007FF947350000-0x00007FF947368000-memory.dmp

Filesize
96KB

Download
memory/2892-40-0x00007FF93E780000-0x00007FF93E7B0000-memory.dmp

Filesize
192KB

Download
memory/2892-20-0x00007FF9431E0000-0x00007FF943214000-memory.dmp

Filesize
208KB

Download
memory/2892-43-0x00007FF93E760000-0x00007FF93E771000-memory.dmp

Filesize
68KB

Download
memory/2892-19-0x00007FF6C1410000-0x00007FF6C1508000-memory.dmp

Filesize
992KB

Download
memory/2892-44-0x00007FF92FE80000-0x00007FF92FED7000-memory.dmp

Filesize
348KB

Download
memory/2892-41-0x00007FF937890000-0x00007FF9378F7000-memory.dmp

Filesize
412KB

Download
memory/2892-34-0x00007FF93E850000-0x00007FF93E861000-memory.dmp

Filesize
68KB

Download
memory/2892-33-0x00007FF93E870000-0x00007FF93E888000-memory.dmp

Filesize
96KB

Download
memory/2892-42-0x00007FF937810000-0x00007FF93788C000-memory.dmp

Filesize
496KB

Download
memory/2892-39-0x00007FF93E7B0000-0x00007FF93E7C8000-memory.dmp

Filesize
96KB

Download
memory/2892-38-0x00007FF93E7D0000-0x00007FF93E7E1000-memory.dmp

Filesize
68KB

Download
memory/2892-37-0x00007FF93E7F0000-0x00007FF93E80B000-memory.dmp

Filesize
108KB

Download
memory/2892-36-0x00007FF93E810000-0x00007FF93E821000-memory.dmp

Filesize
68KB

Download
memory/2892-32-0x00007FF93E890000-0x00007FF93E8B1000-memory.dmp

Filesize
132KB

Download
memory/2892-31-0x00007FF92FEE0000-0x00007FF930F90000-memory.dmp

Filesize
16.7MB

Download
memory/2892-46-0x0000016EC6360000-0x0000016EC7BCF000-memory.dmp

Filesize
24.4MB

Download
memory/2892-56-0x00007FF931960000-0x00007FF931C16000-memory.dmp

Filesize
2.7MB

Download
memory/4820-17-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/4820-10-0x0000000002180000-0x00000000021B0000-memory.dmp

Filesize
192KB

Download