6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f

General

Target

6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f.exe
Size

649KB
MD5

72ffe1a2632f80b03daffba9948bfd8d
SHA1

9bbb7cde0abbc398de7d0e4f556818722a8e81e5
SHA256

6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f
SHA512

adff1b26b3f4587d886cc38b8c33880c1ca3fc39f034152e7976d3166caece54da07186e78a7f5fa8f1c73c44001e08e7f1d3ac8d823389e3b22656e8a9c00ed
SSDEEP

12288:VxgOfaljcI1TX+Sb9Ct3X418aYkQi02nWY6OcbdYRls7rCs+vMA:VxnGcI1ySb8t3o1PYo7ntchT/GE

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1884	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
888	msinfo32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE
1884	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f.exe
"C:\Users\Admin\AppData\Local\Temp\6212fa8e35896123bd25ddfce03ec95ef9a0b55414a75b7f6428bd79aee0ef5f.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4188

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\LockShow.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:888

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\FindCopy.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
347B

MD5
3d3e4293ad0f11f99f09726c7fc838a5

SHA1
90bf131db448fa831d181957cf24cd99730b8ff8

SHA256
40d095963f8a35677c71e9dc2c1be608f467e4939b4803c03eb91e8f1607a304

SHA512
11fa7a5c6255d1f20cdfffb388c455cc91e1b0954414e965af9275f3eb62e4a483c6c5e3d586127a616996df2caa80ad1d67b7d45efbf6cde429dd5eb5b3bf40

Download Submit
memory/1884-11-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-9-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-16-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-4-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-14-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-12-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-0-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-8-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-7-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-6-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-10-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-17-0x00007FFB81D10000-0x00007FFB81D20000-memory.dmp

Filesize
64KB

Download
memory/1884-13-0x00007FFB81D10000-0x00007FFB81D20000-memory.dmp

Filesize
64KB

Download
memory/1884-15-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-1-0x00007FFBC48C3000-0x00007FFBC48C4000-memory.dmp

Filesize
4KB

Download
memory/1884-3-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-5-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-18-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-20-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-19-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-2-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-36-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-47-0x00007FFBC48C3000-0x00007FFBC48C4000-memory.dmp

Filesize
4KB

Download
memory/1884-48-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download
memory/1884-57-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-59-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-58-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-56-0x00007FFB848B0000-0x00007FFB848C0000-memory.dmp

Filesize
64KB

Download
memory/1884-60-0x00007FFBC4820000-0x00007FFBC4A29000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads