b4fc5b365d6ccb4dc726a82c8b3f1c39ce16bf848c779706569c938d1a6855a8

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/02/2025, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware-sample-library-master/APT28 FancyBear/APT28,NATOPAPER,SOFACY2004.exe
Size

108KB
MD5

7f564a6a8910b513a851b2616af8d7ee
SHA1

aade2da992de07c233f4d2711cb4f046984a3783
SHA256

1de6d9db409bef73e3585fc08f98b30e2757ec87830e6f84ba85c39210aa962b
SHA512

9870a3ac7cd47458aa9f0a6afd9767d19460d93c9c2f20aa5fb2fe6a2ef0e2b7361e2a83d20cd91c105af34184fe3d582b5ce4200f0bea1e780481fe7928e252
SSDEEP

1536:DAo8qqfNrkdOoXL60J8s8FGBOO80+yldyVZR/HmD8TK0VGaxkGbANv:DAo8zuFjyFG8x0+ylc7RftTVGOkv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysConnect = "{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}"	APT28,NATOPAPER,SOFACY2004.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysconnect.dll	APT28,NATOPAPER,SOFACY2004.exe
File created	C:\Windows\SysWOW64\winmgmt.dll	APT28,NATOPAPER,SOFACY2004.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	APT28,NATOPAPER,SOFACY2004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}\InProcServer32\ThreadingModel = "Apartment"	APT28,NATOPAPER,SOFACY2004.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}\InProcServer32	APT28,NATOPAPER,SOFACY2004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	APT28,NATOPAPER,SOFACY2004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	APT28,NATOPAPER,SOFACY2004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}	APT28,NATOPAPER,SOFACY2004.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}\InProcServer32	APT28,NATOPAPER,SOFACY2004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5cbecaf5-2067-44fd-8c4d-68c099b89c5b}\InProcServer32\ = "C:\\Windows\\SysWow64\\sysconnect.dll"	APT28,NATOPAPER,SOFACY2004.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2236	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	WINWORD.EXE
2236	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2236	1868	APT28,NATOPAPER,SOFACY2004.exe	30
PID 1868 wrote to memory of 2236	1868	APT28,NATOPAPER,SOFACY2004.exe	30
PID 1868 wrote to memory of 2236	1868	APT28,NATOPAPER,SOFACY2004.exe	30
PID 1868 wrote to memory of 2236	1868	APT28,NATOPAPER,SOFACY2004.exe	30
PID 2236 wrote to memory of 2800	2236	WINWORD.EXE	33
PID 2236 wrote to memory of 2800	2236	WINWORD.EXE	33
PID 2236 wrote to memory of 2800	2236	WINWORD.EXE	33
PID 2236 wrote to memory of 2800	2236	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe
"C:\Users\Admin\AppData\Local\Temp\malware-sample-library-master\APT28 FancyBear\APT28,NATOPAPER,SOFACY2004.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NATO.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NATO.doc

Filesize
54KB

MD5
fd34f554ee16947045ef7aecc6d8a6ae

SHA1
8b424ff7bfdb326c73bc0231c9329e4eccc5cb1b

SHA256
e14998cd3efa380d8e042f33e08ca42934e8e04c6f346a2b560830e4ed26ebf2

SHA512
0ddb0594a5412564a6901241aa27dfd3f97e96f3b2154a5daa1874155e9877fc25dd91c18da09d0667b927481b2090278da04b334214749b6b59eb231ff27d50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2236-3-0x000000002F8F1000-0x000000002F8F2000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-5-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/2236-22-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads