e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9df

General

Target

e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe
Size

1.5MB
MD5

49f50d28a6b74a5a0fecf64253ddfb70
SHA1

65bf79e843bb5706d5dc24f51dc3fc2ae37e26a9
SHA256

e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9df
SHA512

47c8e56e1e6750d250efab901ab22bdf32e600593c4f340de48e73aefd9ca2c2de646830262cb6924574bb38c74341974365f612fe01b73dd7453b8b9f98297b
SSDEEP

1536:5ROJXGKhn2JoCvrj7RGEcjU30copKsu9VE7WZMl+LN4D/f4TEaY90rHc3YmFdaqg:YjVsTulb1Zkgcxq8PWxWi1fLr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4356	EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE
4356	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4356	4180	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	82
PID 4180 wrote to memory of 4356	4180	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	82
PID 4180 wrote to memory of 4356	4180	e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe	82

C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe
"C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.xlsx"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e623aac494af0e54ab670e708354c17f0b7fc4e9fe737c8fd19845b95a4ba9dfN.xlsx

Filesize
1.5MB

MD5
ccb4948d1744b128f96307722b22de87

SHA1
7892ac6c28b3698dd98d26d6312f180b3bb1c233

SHA256
c0b078682b66f209767b1e1bdbb64e924498e93399ff3ee4892896abe05546f4

SHA512
7e01ff700fe7aba0f688b794b6ae769e2de5378690ed907d04074d31e72e7a4dacacca3093e56c945c01f60223084fc9e0c80feaab8a79ca62c0db0fdc2b3a1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
680B

MD5
674f9756c4cdc861acd6fe63e45913fb

SHA1
e037e7bdf20ce0a48b85c8a3e60a8281c5d3c9fb

SHA256
a35bf39ca4b6809b134d77cced130ca42cbfd54a95e90ecbd31fe6b69a79128b

SHA512
ed6c5387733ea0f981c3b95ec14442d3312a06c6bf2edb56f04d6dd86ddd5de42cd574b32900c7362e15965898d15d07f2f3555932ed6d3285dba930a063f75a

Download Submit
memory/4180-0-0x00007FF8BD7B3000-0x00007FF8BD7B5000-memory.dmp

Filesize
8KB

Download
memory/4180-1-0x0000000000EE0000-0x0000000001066000-memory.dmp

Filesize
1.5MB

Download
memory/4356-21-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-24-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-11-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-13-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-12-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-17-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-16-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-15-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-14-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-18-0x00007FF898EF0000-0x00007FF898F00000-memory.dmp

Filesize
64KB

Download
memory/4356-19-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-20-0x00007FF898EF0000-0x00007FF898F00000-memory.dmp

Filesize
64KB

Download
memory/4356-9-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-10-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-26-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-25-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-23-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-22-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-8-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-37-0x00007FF8DB86D000-0x00007FF8DB86E000-memory.dmp

Filesize
4KB

Download
memory/4356-38-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-39-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download
memory/4356-7-0x00007FF8DB86D000-0x00007FF8DB86E000-memory.dmp

Filesize
4KB

Download
memory/4356-65-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-64-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-67-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-66-0x00007FF89B850000-0x00007FF89B860000-memory.dmp

Filesize
64KB

Download
memory/4356-68-0x00007FF8DB7D0000-0x00007FF8DB9C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads