df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d

Resubmissions

05-02-2025 10:34

250205-mmg7watqer 3

05-02-2025 10:33

250205-mljdjssnet 3

22-06-2024 18:41

240622-xb3pjsyhpe 10

22-06-2024 17:04

240622-vlcj1azdrp 10

Analysis

max time kernel
79s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe
Size

534KB
MD5

8e8eaa9b81f664c796225ac49e9ecb71
SHA1

320e25a4b4918dd76582c7f7e68f3d68268b17f7
SHA256

df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d
SHA512

66529bd7faa3275856fa87e7ec5ed250b0fc694f12e5fab2d1e84aa367844d42c7a19911065c9f2985752d55addc921797c77861081f2f40b5f1a69f84d935d0
SSDEEP

12288:1FF+1IiVMR/La01MZa03EiYIRKoMDKd+A1Ll7e7:1FFroMROFZa03EiYILWWvll74

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
756	WINWORD.EXE
756	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	taskmgr.exe
Token: SeSystemProfilePrivilege	620	taskmgr.exe
Token: SeCreateGlobalPrivilege	620	taskmgr.exe
Token: 33	620	taskmgr.exe
Token: SeIncBasePriorityPrivilege	620	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe
620	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE
756	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe
"C:\Users\Admin\AppData\Local\Temp\df2175421c791abbbe00721d185b0126fdcfa65948c5df89db284ccd4ae65d4d.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:620

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\ImportOpen.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
356B

MD5
6986b3bad4b7693c648ad2cc4d3e1356

SHA1
66a6def1482544323faf9ebb690ce6e21c92945b

SHA256
7c7b6d4f9d2f8e1c889e563ee6ece129c4e285a06df88fb2a491edcbb2c13498

SHA512
7896aa2ff4f066be822b4d55e27934d4d7c42373661d39a001fb2f13e834a77d874e912773e794f939809f2386f9b5adcb7e6b042ec811fd7ab18fa52350cacc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/620-2-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-1-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-12-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-11-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-10-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-9-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-8-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-7-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-6-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/620-0-0x000002DF15B80000-0x000002DF15B81000-memory.dmp

Filesize
4KB

Download
memory/756-14-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-16-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-17-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-18-0x00007FF7F62D0000-0x00007FF7F62E0000-memory.dmp

Filesize
64KB

Download
memory/756-19-0x00007FF7F62D0000-0x00007FF7F62E0000-memory.dmp

Filesize
64KB

Download
memory/756-13-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-15-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-77-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-76-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-79-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download
memory/756-78-0x00007FF7F8330000-0x00007FF7F8340000-memory.dmp

Filesize
64KB

Download