dc3d08cc406d15bb457ae7c5f678e379cdd98c8297d08b8d1b5ead62adfe1857

General

Target

51396027.exe
Size

10.5MB
MD5

59a9cba43d9dd78d248ec074353756b9
SHA1

da08c31f59fdf099474fa43205fb7f352d80edb2
SHA256

dc3d08cc406d15bb457ae7c5f678e379cdd98c8297d08b8d1b5ead62adfe1857
SHA512

0b8c9341774d3cb55d3a1d679e99621fc240e75c7a86aefa3b888546d1fdf5ff281e448a6a526882097efaa73357e2f32b90d6b4714a759821358a3d90d723bb
SSDEEP

196608:QUbJDQhT+BJpGuGfWFLiAt+ZtwpMskNvjfG2nu/CmaaFhEUrue6TwGdwCNkYSxfF:QUblWqJpnGeAtwCbNvS2GCmaNuue6TNy

Score

8^/10

discovery macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral2/files/0x000700000002428e-247.dat	office_macro_on_action

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	51396027.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51396027.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	51396027.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE
2916	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2916	1148	51396027.exe	89
PID 1148 wrote to memory of 2916	1148	51396027.exe	89
PID 1148 wrote to memory of 2916	1148	51396027.exe	89

C:\Users\Admin\AppData\Local\Temp\51396027.exe
"C:\Users\Admin\AppData\Local\Temp\51396027.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\202104141400\ƒo[ƒWƒ‡ƒ“ƒAƒbƒv.xls"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\202104141400\UpFile\DaProcess\SettingPdf\Ü—^Žx•¥“Í_—¼–Ê.rdlx

Filesize
726KB

MD5
deac0d51adda2b77eefffa1888fad4a3

SHA1
2ed3e202fa9dca660aba03f51ac79bc037df05db

SHA256
d5ce1c73145ceeb44d88719dd7f3a23b00d19a6817bb1cd647c8f11c2274bec1

SHA512
89677b2c5f00ec14cc7ca61af50a06856226a96bc1ca2588d7b10ba43a8eadbb2d8beba04c35b95affb48798b477f996651cc9cac8c52bae065650af91081b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\202104141400\UpFile\DaProcess\SettingPdf\Ü—^•sŽx‹‹•ñ‘_—¼–Ê.rdlx

Filesize
261KB

MD5
13afe5e46d9c6bc300f502086d988ddb

SHA1
52944507e6c94231d522b0e5c32515adb2c8e5e2

SHA256
67fedaafb2b2c7b54e1c4799d84c1a06b2f7b17256abf3add2e8a1b9b420d566

SHA512
af6b64da4cc8a934c35ed6c05f6a469c7187f60f27f0056a7aafaa7a5c48af058b437eb28f154d487ab6c11bc761858e56aa376fddb1e75c674504f1cf125e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\202104141400\ƒo[ƒWƒ‡ƒ“ƒAƒbƒv.xls

Filesize
249KB

MD5
23bc19b9644bd87a03c41f1189dba6dc

SHA1
d9115217854525600b400f1969db6003753eb52b

SHA256
d0c1257124fac22c0914262d6234f6501692959f70b1a41a7cc0c7258ef22e08

SHA512
cb4c5cbb0399391ab4beec677514297ff0114499b87d323eca230524e8f995a0a2834bb49f02e94fc775f7ef513ccf08d99b5d082615f96a47bc9e01ec85c9fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
db50abfa50f13bbde176e63b58db57bd

SHA1
c861db011b4fceaaedf8fce838319ca8880573ea

SHA256
bc34544710e5a6ede6e136f1e50a9758b70073e0757e2b70ad213c8f8807d6e7

SHA512
2a59b8e1132ed24eaed7fae67e07e601c478de3838deea358f9bf19e5e3693beb3933980c082e8c54d07db918de2b307ea06c46fb42e6c7cd8b8a7681b12ea3e

Download Submit
memory/2916-265-0x00007FFEF0C70000-0x00007FFEF0C80000-memory.dmp

Filesize
64KB

Download
memory/2916-266-0x00007FFEF0C70000-0x00007FFEF0C80000-memory.dmp

Filesize
64KB

Download
memory/2916-250-0x00007FFEF33B0000-0x00007FFEF33C0000-memory.dmp

Filesize
64KB

Download
memory/2916-254-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-257-0x00007FFEF33B0000-0x00007FFEF33C0000-memory.dmp

Filesize
64KB

Download
memory/2916-256-0x00007FFEF33B0000-0x00007FFEF33C0000-memory.dmp

Filesize
64KB

Download
memory/2916-255-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-261-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-264-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-263-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-252-0x00007FFEF33B0000-0x00007FFEF33C0000-memory.dmp

Filesize
64KB

Download
memory/2916-262-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-260-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-253-0x00007FFEF33B0000-0x00007FFEF33C0000-memory.dmp

Filesize
64KB

Download
memory/2916-267-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-259-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-258-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-270-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-269-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-268-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-292-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-293-0x00007FFF333CD000-0x00007FFF333CE000-memory.dmp

Filesize
4KB

Download
memory/2916-294-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-295-0x00007FFF33330000-0x00007FFF33525000-memory.dmp

Filesize
2.0MB

Download
memory/2916-251-0x00007FFF333CD000-0x00007FFF333CE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads