f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2

General

Target

f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe
Size

467KB
MD5

43aa7cd5c5f070e7376405a13d242a50
SHA1

2de67d6cff66cdbace3f4a3290062b1113520db3
SHA256

f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2
SHA512

69f4cba0e99fc2a1f4ecb4d4fe9bf44975bede14758c6b6a13572834748125b7d8262fcd09272aa6acb88c709f46ca09a96034180a34787a535dc75a8bd9e5ac
SSDEEP

6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DLjVGHqiJUWPK2gFUV0rzK3xv:PYO1QIubR55BYXRgKiruB6jC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	8028.tmp

Loads dropped DLL 1 IoCs

pid	Process
3028	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8028.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
860	8028.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
860	8028.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	WINWORD.EXE
2708	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 860	3028	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe	30
PID 3028 wrote to memory of 860	3028	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe	30
PID 3028 wrote to memory of 860	3028	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe	30
PID 3028 wrote to memory of 860	3028	f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe	30
PID 860 wrote to memory of 2708	860	8028.tmp	31
PID 860 wrote to memory of 2708	860	8028.tmp	31
PID 860 wrote to memory of 2708	860	8028.tmp	31
PID 860 wrote to memory of 2708	860	8028.tmp	31
PID 2708 wrote to memory of 392	2708	WINWORD.EXE	33
PID 2708 wrote to memory of 392	2708	WINWORD.EXE	33
PID 2708 wrote to memory of 392	2708	WINWORD.EXE	33
PID 2708 wrote to memory of 392	2708	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe
"C:\Users\Admin\AppData\Local\Temp\f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\8028.tmp
  "C:\Users\Admin\AppData\Local\Temp\8028.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.exe 104C5FD4D86152CF702C0217FCA6EF31939681A5A4B5D7E084536DF5E33388073DE601712955207115396C532A4B3EBF8B2DDB8617A818F0DA139FE9A4535593
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8028.tmp

Filesize
467KB

MD5
c0dd0a8ef9e66ef43b75022bc6ab60bb

SHA1
860433f188ae024fe4f43ca04a2c7cbe32cc01b4

SHA256
6d7bc039d6f01c1eadd4adb0de3b07165580fd623e9b8da3f40e13e26374c607

SHA512
a717ba0bd343a9e239e485096063064b673db52781a4dabdca9142cc21e52bc47aba43d9ef575b369913c5b0c6283374d51e6658307383b78afef7ac558f7f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5082352025366bf2e6dd04212c74d9fefdea41960f867a3ff998d1dfd9ecbf2N.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
74a2e4c6b51d9b8b012445052ac4b723

SHA1
7adf6b795409505b7d8019c309fead278a6dd708

SHA256
cab9e20e70bc50432ac37d3c3791c391ed19141b38506f034c6a19d7911d4558

SHA512
b63d3d4e447e474e36e57067611ffa122052c32a3c910404c7496a6b4941387608b9ef61f8dc7a3caab4f5082ec0e3786f7dc866f1ba6a2762b212c2f206ef66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/860-9-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/860-13-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2708-14-0x000000002FF51000-0x000000002FF52000-memory.dmp

Filesize
4KB

Download
memory/2708-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-16-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/2708-34-0x000000007161D000-0x0000000071628000-memory.dmp

Filesize
44KB

Download
memory/2708-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3028-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3028-7-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3028-35-0x00000000023D0000-0x000000000244E000-memory.dmp

Filesize
504KB

Download
memory/3028-8-0x00000000023D0000-0x000000000244E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads