3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697c

General

Target

3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe
Size

467KB
MD5

429423ec04fc97aa2bf982c2b581f8d0
SHA1

08f7a0fe8d22c0999198903b9f8babf10a3f7430
SHA256

3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697c
SHA512

fd018cc5b896a632382bc677f16c5fa22c09f067a447c2651aff5a81eaa834b04fa0d540bbe9de07132c94d684d5bd34794530cf88efa384049a93d25691137c
SSDEEP

6144:mSyAAwKrd01YZW9mhO81rtfTWZGy1Q34HOSR4R5DL5jnbePmbZSbuNIooawVyEFZ:PYO1QIubR5pjiPmTlomS5OC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	D0B7.tmp

Loads dropped DLL 1 IoCs

pid	Process
2232	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D0B7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2184	D0B7.tmp

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	D0B7.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2068	WINWORD.EXE
2068	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2184	2232	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe	31
PID 2232 wrote to memory of 2184	2232	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe	31
PID 2232 wrote to memory of 2184	2232	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe	31
PID 2232 wrote to memory of 2184	2232	3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe	31
PID 2184 wrote to memory of 2068	2184	D0B7.tmp	32
PID 2184 wrote to memory of 2068	2184	D0B7.tmp	32
PID 2184 wrote to memory of 2068	2184	D0B7.tmp	32
PID 2184 wrote to memory of 2068	2184	D0B7.tmp	32
PID 2068 wrote to memory of 2964	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 2964	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 2964	2068	WINWORD.EXE	34
PID 2068 wrote to memory of 2964	2068	WINWORD.EXE	34

C:\Users\Admin\AppData\Local\Temp\3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe
"C:\Users\Admin\AppData\Local\Temp\3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\D0B7.tmp
  "C:\Users\Admin\AppData\Local\Temp\D0B7.tmp" --pingC:\Users\Admin\AppData\Local\Temp\3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.exe 5F04192176F3FDAD6CC82D9C30F55EA03AFAD39A4BB7E857678AE8439CA92546B08D5B8C911A94F7E66DC8D44B25F06A494ED88A2B7E2CECE8B4F757888A0ACF
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ac543719771b439c7d8dedb6a4cbe113bb9d80d226426e9387d24fb5e2a697cN.doc

Filesize
35KB

MD5
59975947e6db92e743655ebdf2e3c495

SHA1
5e967d85a4df28f9fed485156919a14fb411d18d

SHA256
83c9df8884ffd5b51bdbdb9314d587477ecf50c3144c6c230ded3a3041f24e05

SHA512
1cdc533bcc9bf50c69dd3a516c4fff8f24cf2ba9ecf1df885c12d4f459727b63c2d7f1a388ac0a4ac2fe59fe1bd5f5cb623001c736df33490fb245e06d7af692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\D0B7.tmp

Filesize
467KB

MD5
c9dfb025835605d79816d271a8d4f3a1

SHA1
a407f4ab5dd56f040984991fc396f7ad82737194

SHA256
3cb1e2ce532e0ad383100c080f736d4046aac3561df94275698e7a21a3d86cfe

SHA512
ca1d15bf10d79d6af89b745b0f8bc9d76017fd5ed24c3b5143e027e46a70078dc63c111f118e91501af41cb0dc2160d82f8afbfef32fc0600dc07b134a15b242

Download Submit
memory/2068-13-0x000000002FEB1000-0x000000002FEB2000-memory.dmp

Filesize
4KB

Download
memory/2068-14-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2068-15-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2068-33-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2184-8-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2184-12-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2232-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2232-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads