d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
Size

35KB
MD5

36f81effc137f9905bfd08976337a87c
SHA1

59acb1b71b385128d55d8ce6d4037e3053885f63
SHA256

d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a
SHA512

262715bba41b5ba43ee393452a1c34d625007ef5f1b0c27da9d4079846463a41261f3950a5a6e87d6da782a5f880bb615f2f343cdebaf3aa30e77e35c0567895
SSDEEP

768:UEzNbLcQ9qQuVriDMuyuruTD0qB77777J77c77c77c7nOTs5E7+xP8:l3h9qQA6hZunrB77777J77c77c77c7OV

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\¬Ôüþéþüýý.exe\""	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components\{B6B5AD64-16D6-420B-2242-AD64224216D6}	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components\{B6B5AD64-16D6-420B-2242-AD64224216D6}\Direktori = "d[}xŠ\u008f…\u0090˜”}”š”•†ŽTS}‘“Š\u008f•†“OœSSSXbSYQNTbfbNRQWZNbSefNQYQQScTQTQZež"	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components\{B6B5AD64-16D6-420B-2242-AD64224216D6}\last-check = "¬Ôüþéþüýý.exe"	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components\{B6B5AD64-16D6-420B-2242-AD64224216D6}\last-check7 = "§Ï÷ùäù÷øø\u0090„•\u0090.exe"	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe

Executes dropped EXE 16 IoCs

pid	Process
2044	§Ï÷ùäù÷øø„•.exe
824	¬Ôüþéþüýý.exe
2724	¬Ôüþéþüýý.exe
2744	§Ï÷ùäù÷øø„•.exe
2784	¬Ôüþéþüýý.exe
2544	§Ï÷ùäù÷øø„•.exe
332	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
3044	§Ï÷ùäù÷øø„•.exe
328	§Ï÷ùäù÷øø„•.exe
1556	¬Ôüþéþüýý.exe
1640	§Ï÷ùäù÷øø„•.exe
1480	¬Ôüþéþüýý.exe
2300	§Ï÷ùäù÷øø„•.exe
3052	¬Ôüþéþüýý.exe

Loads dropped DLL 37 IoCs

pid	Process
2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
2044	§Ï÷ùäù÷øø„•.exe
2044	§Ï÷ùäù÷øø„•.exe
2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
2724	¬Ôüþéþüýý.exe
2724	¬Ôüþéþüýý.exe
2724	¬Ôüþéþüýý.exe
2744	§Ï÷ùäù÷øø„•.exe
2744	§Ï÷ùäù÷øø„•.exe
2784	¬Ôüþéþüýý.exe
2784	¬Ôüþéþüýý.exe
2744	§Ï÷ùäù÷øø„•.exe
2744	§Ï÷ùäù÷øø„•.exe
2744	§Ï÷ùäù÷øø„•.exe
2784	¬Ôüþéþüýý.exe
2784	¬Ôüþéþüýý.exe
2784	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
2040	¬Ôüþéþüýý.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
2040	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\§Ï÷ùäù÷øø„•.exe = "C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\§Ï÷ùäù÷øø\u0090„•\u0090.exe"	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-buffers	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-sent	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x000700000001878c-4.dat	upx
behavioral1/memory/2044-15-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x0006000000018742-22.dat	upx
behavioral1/memory/2724-27-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2044-35-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2356-37-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/824-38-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2724-50-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-72-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2744-88-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/332-89-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2784-91-0x0000000003D70000-0x0000000003D79000-memory.dmp	upx
behavioral1/memory/2040-115-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2784-111-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/3044-123-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/328-137-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1556-146-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/112-148-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2040-160-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1480-183-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2300-190-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/3052-201-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	¬Ôüþéþüýý.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	§Ï÷ùäù÷øø„•.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2740	WINWORD.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
2044	§Ï÷ùäù÷øø„•.exe
2724	¬Ôüþéþüýý.exe
824	¬Ôüþéþüýý.exe
2744	§Ï÷ùäù÷øø„•.exe
2740	WINWORD.EXE
2740	WINWORD.EXE
2784	¬Ôüþéþüýý.exe
2544	§Ï÷ùäù÷øø„•.exe
332	¬Ôüþéþüýý.exe
112	§Ï÷ùäù÷øø„•.exe
1588	WINWORD.EXE
1588	WINWORD.EXE
2040	¬Ôüþéþüýý.exe
3044	§Ï÷ùäù÷øø„•.exe
328	§Ï÷ùäù÷øø„•.exe
1556	¬Ôüþéþüýý.exe
1640	§Ï÷ùäù÷øø„•.exe
1480	¬Ôüþéþüýý.exe
2300	§Ï÷ùäù÷øø„•.exe
3052	¬Ôüþéþüýý.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2044	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	31
PID 2356 wrote to memory of 2044	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	31
PID 2356 wrote to memory of 2044	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	31
PID 2356 wrote to memory of 2044	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	31
PID 2044 wrote to memory of 824	2044	§Ï÷ùäù÷øø„•.exe	32
PID 2044 wrote to memory of 824	2044	§Ï÷ùäù÷øø„•.exe	32
PID 2044 wrote to memory of 824	2044	§Ï÷ùäù÷øø„•.exe	32
PID 2044 wrote to memory of 824	2044	§Ï÷ùäù÷øø„•.exe	32
PID 2356 wrote to memory of 2724	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	33
PID 2356 wrote to memory of 2724	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	33
PID 2356 wrote to memory of 2724	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	33
PID 2356 wrote to memory of 2724	2356	d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe	33
PID 2724 wrote to memory of 2740	2724	¬Ôüþéþüýý.exe	34
PID 2724 wrote to memory of 2740	2724	¬Ôüþéþüýý.exe	34
PID 2724 wrote to memory of 2740	2724	¬Ôüþéþüýý.exe	34
PID 2724 wrote to memory of 2740	2724	¬Ôüþéþüýý.exe	34
PID 2724 wrote to memory of 2744	2724	¬Ôüþéþüýý.exe	35
PID 2724 wrote to memory of 2744	2724	¬Ôüþéþüýý.exe	35
PID 2724 wrote to memory of 2744	2724	¬Ôüþéþüýý.exe	35
PID 2724 wrote to memory of 2744	2724	¬Ôüþéþüýý.exe	35
PID 2744 wrote to memory of 2784	2744	§Ï÷ùäù÷øø„•.exe	36
PID 2744 wrote to memory of 2784	2744	§Ï÷ùäù÷øø„•.exe	36
PID 2744 wrote to memory of 2784	2744	§Ï÷ùäù÷øø„•.exe	36
PID 2744 wrote to memory of 2784	2744	§Ï÷ùäù÷øø„•.exe	36
PID 2784 wrote to memory of 2544	2784	¬Ôüþéþüýý.exe	37
PID 2784 wrote to memory of 2544	2784	¬Ôüþéþüýý.exe	37
PID 2784 wrote to memory of 2544	2784	¬Ôüþéþüýý.exe	37
PID 2784 wrote to memory of 2544	2784	¬Ôüþéþüýý.exe	37
PID 2744 wrote to memory of 648	2744	§Ï÷ùäù÷øø„•.exe	38
PID 2744 wrote to memory of 648	2744	§Ï÷ùäù÷øø„•.exe	38
PID 2744 wrote to memory of 648	2744	§Ï÷ùäù÷øø„•.exe	38
PID 2744 wrote to memory of 648	2744	§Ï÷ùäù÷øø„•.exe	38
PID 2744 wrote to memory of 332	2744	§Ï÷ùäù÷øø„•.exe	39
PID 2744 wrote to memory of 332	2744	§Ï÷ùäù÷øø„•.exe	39
PID 2744 wrote to memory of 332	2744	§Ï÷ùäù÷øø„•.exe	39
PID 2744 wrote to memory of 332	2744	§Ï÷ùäù÷øø„•.exe	39
PID 2784 wrote to memory of 1588	2784	¬Ôüþéþüýý.exe	41
PID 2784 wrote to memory of 1588	2784	¬Ôüþéþüýý.exe	41
PID 2784 wrote to memory of 1588	2784	¬Ôüþéþüýý.exe	41
PID 2784 wrote to memory of 1588	2784	¬Ôüþéþüýý.exe	41
PID 2784 wrote to memory of 112	2784	¬Ôüþéþüýý.exe	42
PID 2784 wrote to memory of 112	2784	¬Ôüþéþüýý.exe	42
PID 2784 wrote to memory of 112	2784	¬Ôüþéþüýý.exe	42
PID 2784 wrote to memory of 112	2784	¬Ôüþéþüýý.exe	42
PID 112 wrote to memory of 2040	112	§Ï÷ùäù÷øø„•.exe	43
PID 112 wrote to memory of 2040	112	§Ï÷ùäù÷øø„•.exe	43
PID 112 wrote to memory of 2040	112	§Ï÷ùäù÷øø„•.exe	43
PID 112 wrote to memory of 2040	112	§Ï÷ùäù÷øø„•.exe	43
PID 2040 wrote to memory of 3044	2040	¬Ôüþéþüýý.exe	44
PID 2040 wrote to memory of 3044	2040	¬Ôüþéþüýý.exe	44
PID 2040 wrote to memory of 3044	2040	¬Ôüþéþüýý.exe	44
PID 2040 wrote to memory of 3044	2040	¬Ôüþéþüýý.exe	44
PID 112 wrote to memory of 1556	112	§Ï÷ùäù÷øø„•.exe	45
PID 112 wrote to memory of 1556	112	§Ï÷ùäù÷øø„•.exe	45
PID 112 wrote to memory of 1556	112	§Ï÷ùäù÷øø„•.exe	45
PID 112 wrote to memory of 1556	112	§Ï÷ùäù÷øø„•.exe	45
PID 2040 wrote to memory of 328	2040	¬Ôüþéþüýý.exe	46
PID 2040 wrote to memory of 328	2040	¬Ôüþéþüýý.exe	46
PID 2040 wrote to memory of 328	2040	¬Ôüþéþüýý.exe	46
PID 2040 wrote to memory of 328	2040	¬Ôüþéþüýý.exe	46
PID 2040 wrote to memory of 1640	2040	¬Ôüþéþüýý.exe	47
PID 2040 wrote to memory of 1640	2040	¬Ôüþéþüýý.exe	47
PID 2040 wrote to memory of 1640	2040	¬Ôüþéþüýý.exe	47
PID 2040 wrote to memory of 1640	2040	¬Ôüþéþüýý.exe	47

C:\Users\Admin\AppData\Local\Temp\d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe
"C:\Users\Admin\AppData\Local\Temp\d031dd0269779e8792c4494fb7e0d02b263c19b63148fafb27688e1f9ba3c24a.exe"
1⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:824
- C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2740
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
    - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\§Ï÷ùäù÷øø„•.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
      - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
  - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:648
  - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe
      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\¬Ôüþéþüýý.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
483B

MD5
6a4fdfb1984bf4d0fd4dae90eef42fa3

SHA1
7afcadf9209446d77bfb409d34467f5cba2ca720

SHA256
a41619561a5078793ecf996d3f4a55928d0802f671d5db5211e92587323bbfbf

SHA512
569a32304e552a4d74f7f52a7fbf1b1e82b0af258867ca345d3439e82d81de18da005b8a26d19d58e99bbc4efdf61d47b1a6d71d26a6d621efe81ec6638027ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
451B

MD5
4bcb693c20541dacc8cb1dd0a204140e

SHA1
7f309c5843c205be3d932ef64938bee7715b976c

SHA256
d7edc842584b872bdbbce532703de61ba31096c81234ba614ea76d7efdd49cd5

SHA512
40bc3eeed3cd873cd9f7165c71d0d93c9923cb17944277be004c6da8ea2611350c5ecdf4164e0f9319e3e0f7caaaf8907b2132c098b64640278fadc3796cbbea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\the [K]angen is back.doc.LNK

Filesize
1KB

MD5
37c1af6e8b8a94d27272a7eae61a1414

SHA1
3af877508981fa8ff0e0be76bf0c13bdc2d9bcc9

SHA256
29b1339eb7b31a68d2e18ecd500e82bc0c17328c9c80552ec86f967ee5948bb1

SHA512
38dfa1d9db8bab4fd95821fc413680e2dfbe2e20979c184d9d4d2b34fc4295b87770451c5c127f10ad2452bac3a7a51ed1effae8897ea909856998c2caeb41c2

Download Submit
C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc

Filesize
6KB

MD5
730ce61abbb36e76c9e06a2b7e5212a7

SHA1
7436058ca37a58f15d1665796223e2e4aecaca1c

SHA256
805b903c4557f4abea0640d516b28612d0f61ff4069eeb2bc7799ff9580008fb

SHA512
c3d63bbd7c8b259ea904648942c729e2812e4127c6d680b4d515d20dfb3740f0e111ecb8db7815b51c454814d34cfb006784ee89e567681af23e98acacb12c04

Download Submit
C:\Users\Admin\AppData\Roaming\~$e [K]angen is back.doc

Filesize
162B

MD5
3956bee7b74136b157590bea082722a0

SHA1
9df1cddd10a24477046275475c502198a23b77dd

SHA256
1d368cab7c1f9bc89a921d17e78f0c7e83dedd701ea30312fa370d37c8b189ce

SHA512
71499059d94c5115e95c4d20ec3d25150ca3a4f2808cf1f176ef35fb52a820449bb519a08dd5d844830a2850fcca862f077c1fee7f909e04ccf5425f0c40a258

Download Submit
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\§Ï÷ùäù÷øø„•.exe

Filesize
47KB

MD5
56672d90fad59c06a802faf10a7b9fb0

SHA1
44b13499d9e57a1d090845223f20555f8629325d

SHA256
5eb4c5e47723a901a1ed8b5bd63af231e5bf8c4608b4084b38e85821a80c6b6f

SHA512
3d6368f1747344833c22b9044df78a3772be26afd6e5788241da5e9effbb176b9f3e9d11dcbaa8ae32ef53d9b9ea740eded22f1a047f95377773e17c871b4184

Download Submit
\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\¬Ôüþéþüýý.exe

Filesize
33KB

MD5
8ccb14ad5eb0820fe4fb8509d14ca190

SHA1
86ab79f8119da343b667127990553c3a7ab5662c

SHA256
c9237e5f1498ea80067adf90e7e5b2e43307c49ae0f385d57df0b3e3dc5d30bb

SHA512
8d708948cd9a23ae5b5878447582b53278e94501199f8495fe02a284c8c2171a39be4d30f961f4053a377dc436d2f34d507c47b8cad222f4abdb0589a40d4b1c

Download Submit
memory/112-151-0x0000000003FC0000-0x0000000003FE2000-memory.dmp

Filesize
136KB

Download
memory/112-168-0x0000000003CB0000-0x0000000003CD2000-memory.dmp

Filesize
136KB

Download
memory/112-150-0x0000000001C40000-0x0000000001C62000-memory.dmp

Filesize
136KB

Download
memory/112-148-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/112-136-0x0000000003560000-0x0000000003582000-memory.dmp

Filesize
136KB

Download
memory/112-165-0x0000000003CB0000-0x0000000003CD2000-memory.dmp

Filesize
136KB

Download
memory/112-164-0x0000000003F70000-0x0000000003F7C000-memory.dmp

Filesize
48KB

Download
memory/328-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/332-89-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/824-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1480-183-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1556-146-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2040-115-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2040-167-0x0000000003E20000-0x0000000003E42000-memory.dmp

Filesize
136KB

Download
memory/2040-160-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2040-163-0x0000000003E20000-0x0000000003E29000-memory.dmp

Filesize
36KB

Download
memory/2040-118-0x0000000001D70000-0x0000000001D92000-memory.dmp

Filesize
136KB

Download
memory/2040-166-0x0000000003C90000-0x0000000003CB2000-memory.dmp

Filesize
136KB

Download
memory/2044-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2044-24-0x0000000000510000-0x0000000000532000-memory.dmp

Filesize
136KB

Download
memory/2044-35-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2300-190-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2356-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2356-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-72-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2724-50-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2724-44-0x0000000000430000-0x0000000000452000-memory.dmp

Filesize
136KB

Download
memory/2724-27-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2724-40-0x0000000001EA0000-0x0000000001EA9000-memory.dmp

Filesize
36KB

Download
memory/2740-45-0x000000002F561000-0x000000002F562000-memory.dmp

Filesize
4KB

Download
memory/2740-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2744-84-0x0000000003D00000-0x0000000003D22000-memory.dmp

Filesize
136KB

Download
memory/2744-88-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-80-0x0000000003F80000-0x0000000003F8C000-memory.dmp

Filesize
48KB

Download
memory/2744-54-0x0000000003E40000-0x0000000003E62000-memory.dmp

Filesize
136KB

Download
memory/2784-111-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2784-63-0x00000000024F0000-0x0000000002512000-memory.dmp

Filesize
136KB

Download
memory/2784-91-0x0000000003D70000-0x0000000003D79000-memory.dmp

Filesize
36KB

Download
memory/3044-123-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3052-201-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads