8aae3b1439dec6b0dc891effb2152daf27d9639cb26b0ccf03b51a5820c92b70

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_16811806711348617673558987317572681097380136281.exe
Size

1.1MB
MD5

f5c33c21056d3ef62172fc876faad063
SHA1

fb56e9043f19afdf49c61063ba30fe0ad72daf07
SHA256

655c37dadba41474eb3447ff8b23e064e760013e7c84503f9eb25d21f8bd3ec3
SHA512

aa29db436c336847d04b7317a1d8a4cd5c8335db1d2235fb3bb685a7907fcdd8cec8eca8f2818bdc8e1e61c5bf265978e692ffeef766a962a9b7406447afd3c6
SSDEEP

24576:PMjhbhcgdHRQp+DKjHfEhZQntmXft63I3i43eOooZw:CpeuHhZ7Q3q1Zw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2268	Doc_16811806711348617673558987317572681097380136281.tmp
2896	Doc_16811806711348617673558987317572681097380136281.tmp

Loads dropped DLL 8 IoCs

pid	Process
2276	Doc_16811806711348617673558987317572681097380136281.exe
2268	Doc_16811806711348617673558987317572681097380136281.tmp
2268	Doc_16811806711348617673558987317572681097380136281.tmp
2844	Doc_16811806711348617673558987317572681097380136281.exe
2896	Doc_16811806711348617673558987317572681097380136281.tmp
2896	Doc_16811806711348617673558987317572681097380136281.tmp
1784	regsvr32.exe
2620	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc_16811806711348617673558987317572681097380136281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc_16811806711348617673558987317572681097380136281.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc_16811806711348617673558987317572681097380136281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doc_16811806711348617673558987317572681097380136281.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	Doc_16811806711348617673558987317572681097380136281.tmp
2896	Doc_16811806711348617673558987317572681097380136281.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2896	Doc_16811806711348617673558987317572681097380136281.tmp

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2276 wrote to memory of 2268	2276	Doc_16811806711348617673558987317572681097380136281.exe	30
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2268 wrote to memory of 2844	2268	Doc_16811806711348617673558987317572681097380136281.tmp	31
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2844 wrote to memory of 2896	2844	Doc_16811806711348617673558987317572681097380136281.exe	32
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 2896 wrote to memory of 1784	2896	Doc_16811806711348617673558987317572681097380136281.tmp	33
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34
PID 1784 wrote to memory of 2620	1784	regsvr32.exe	34

C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe
"C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\is-PIL6G.tmp\Doc_16811806711348617673558987317572681097380136281.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PIL6G.tmp\Doc_16811806711348617673558987317572681097380136281.tmp" /SL5="$40150,695232,190976,C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\is-CDNFF.tmp\Doc_16811806711348617673558987317572681097380136281.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CDNFF.tmp\Doc_16811806711348617673558987317572681097380136281.tmp" /SL5="$301CC,695232,190976,C:\Users\Admin\AppData\Local\Temp\Doc_16811806711348617673558987317572681097380136281.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8dxgi.ocx"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8dxgi.ocx"
        6⤵
        Loads dropped DLL
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8dxgi.ocx

Filesize
1.2MB

MD5
8489f0b3c714542bd3aba532a16728ba

SHA1
3e51def0437bf4465a1852ec2148e401fc999fd3

SHA256
d1ddcd8b4c506f3af24f6ee63209de1342b1a5b29a73d8baadfea8d087daf940

SHA512
721cd16e7f7a9bb0a020f3f2849aa1f3e7de4abf1db1f7da307fab9a6b74d8d9db52353a7c5b988fe300bc589f218d81513ad726d7f6cba078b55cb009d60a7c

Download Submit
\Users\Admin\AppData\Local\Temp\is-8FCLM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PIL6G.tmp\Doc_16811806711348617673558987317572681097380136281.tmp

Filesize
1.2MB

MD5
5824259f69c4ece6cc28a81c9dec3abe

SHA1
6c4d89700e5c396407ec074331a6028e90a21ba4

SHA256
25d874689683f19a474590bc869bb9abcdc7472393fc57344f1a24bda05a4fc0

SHA512
0f19b9aeda82acab6d2c48612b30ff3f1d533d033dfac011c5c81c113f0139a8cc99a756b2105df334fdcd02cf38b16ef79ccc002ae1eff096fa4119d0273477

Download Submit
memory/2268-10-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2268-20-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2276-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2276-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2276-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2844-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2896-43-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download