a6b304da706f65520019273d5f35dc9ede582febfe9e9a1d87c482eb46433256

Analysis

max time kernel
102s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe
Size

3.7MB
MD5

68b391cb055223f2693bd70eed0bb6ec
SHA1

70140b9329ef88d5612ada836dac3bad7fdff833
SHA256

1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8
SHA512

ace93dbbeb5c3aac3a045ee9478598e40057e07ffad92a41421a0e6bd1d32528950032c0b781343991160ec5f1e371ad79b44b29c3cf69a4618ee63db9e32b44
SSDEEP

98304:m6Yz0Nw2/UjBP206DrDasW4/pZ0g+jBu3T:qINIj433ncjkD

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe

Executes dropped EXE 2 IoCs

pid	Process
4376	UxSms.exe
4452	UxSms.exe

Loads dropped DLL 8 IoCs

pid	Process
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe
4452	UxSms.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UxSms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UxSms.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3956	WINWORD.EXE
3956	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	UxSms.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE
3956	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 4376	3380	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe	89
PID 3380 wrote to memory of 4376	3380	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe	89
PID 3380 wrote to memory of 4376	3380	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe	89
PID 4376 wrote to memory of 4452	4376	UxSms.exe	91
PID 4376 wrote to memory of 4452	4376	UxSms.exe	91
PID 4376 wrote to memory of 4452	4376	UxSms.exe	91
PID 3380 wrote to memory of 3956	3380	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe	92
PID 3380 wrote to memory of 3956	3380	1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe	92

C:\Users\Admin\AppData\Local\Temp\1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe
"C:\Users\Admin\AppData\Local\Temp\1a47c4fd5aa52c954123b3871ed1e6cdacf81b1d18e8281d1b0ab304133ee3a8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\UxSms.exe
  "C:\Users\Admin\AppData\Local\Temp\UxSms.exe" /UxSms.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\UxSms.exe
    "C:\Users\Admin\AppData\Local\Temp\UxSms.exe" /UxSms.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\News.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3956

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\News.doc

Filesize
29KB

MD5
e328ee90bf1485f457af242e84f662d4

SHA1
41bea32cc0a4c94cf5db4d51d49978c1a87350c1

SHA256
6fee342709ae091cbc6931bdf0049ec5d71406df14098e5b6f85f9c2085b0acc

SHA512
1dc1a4ef90b6b8b10878c71f2d46645c10c8b383fbf72400bf3ca77690ac963406772ad954f6c33c8973535228b0e1515b2169f8329838dfc5019c694843a255

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDBD29.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxSms.exe

Filesize
3.6MB

MD5
ad7e9abfcd0bea1d5f09a87ff3ee3d23

SHA1
e5141295baf0b0a548af1bea2ebc91425f24c63b

SHA256
c89ce29109f33617ace04f4129b641510ed4a0e94f196cb45a17941f1990be9d

SHA512
ad6593925b828660637f9cdf3bf90615ffa52a3726947fb44c7d80daca6339afe7038c90bb714d0a006b9d0db23d64c4d24b95c19fecc26666072b819fc959b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_hashlib.pyd

Filesize
280KB

MD5
22071845daf8c1f6e87f006673eed4fd

SHA1
b3bc158d041aecc313900cf9a7205e13c47dd9a3

SHA256
51c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407

SHA512
6a11c1620e60b35d321c340687e03a5d9c9eb07912d95c7ba8b9d25867f246b6f46e23d5ee5ec6999c38a92460e85efd8704100e81492c26e38ba3da0f0e5972

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_psutil_mswindows.pyd

Filesize
35KB

MD5
24a624cfac7d2982c8e3a653a3babe8a

SHA1
444cd7c84b74667c920c879dc8d2fb7b4d702aa8

SHA256
195374f37ff4271fbd2f4def5305d30af703633e542fe6f7636b173de197d8af

SHA512
5fb7232b4708b89cd1b5cba5124836f6f5ac7c6dbab3be66feddceb38f346032783c618c20b247b572598340c55e7146f384d157c0ed35e85d0e15ea3493326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_socket.pyd

Filesize
40KB

MD5
b7c3e334648a6cbb03b550b842818409

SHA1
767be295f1e4adedf0e10532f9c1b7908d17383a

SHA256
f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd

SHA512
43ee04452b685022bfdbaca5b3603d4c0e406599b8da70c6a25fa2c4ac5543ada4521eba9bbf0ca86a2a4775ce474ab89da7d27f842d63df62048a1b7ca431d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\_ssl.pyd

Filesize
704KB

MD5
27a7a40b2b83578e0c3bffb5a167d67a

SHA1
d20a7d3308990ce04839569b66f8639d6ed55848

SHA256
ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4

SHA512
7b97690b9ab68562ca85ce0ffc56ae517f8fafe44caff846d66bb4c2003aa6d1b0b321d9ea4526c4652b5152ec46dc600671f427957e6e847ba75ced0d09acef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43762\python27.dll

Filesize
2.2MB

MD5
35625dec59855cf48040c77062fc2e54

SHA1
d92392d23c9cc1669c8ffbeca795d4e76aaefbf7

SHA256
60a51a5f5526330f702754e3a9427629e6c4b1128068c020c64a4e3d78d5d8e6

SHA512
ae48ce1cbe4757dd2b3f1562b0f69b79cc2fc7dcb0ee7b5843d3aaf05dff8d9bcf38fccfa921349dac0d2c6f65e370b896f1331f25875ef5c3cd2dbc068fd827

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
e5fce5b30dc25947cc802c00469a65a6

SHA1
4d635b521d683fdd7fb5cb1b18137fcdff68cac2

SHA256
ae37a3d47e25fcb02b6b97346564ca8cf7ac42229e28a6fbc1e987b317eeebc4

SHA512
983c0d3238c9328df00c2291111f2ec84b4459f78cb44376ea3e64bc639ffb6cb33d688d4622436ffbaf3b7adb483d7861a30cdbb7413bb338891bb398e3b58b

Download Submit
memory/3956-63-0x00007FFDC6520000-0x00007FFDC6530000-memory.dmp

Filesize
64KB

Download
memory/3956-229-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-36-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-35-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-34-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-62-0x00007FFDC6520000-0x00007FFDC6530000-memory.dmp

Filesize
64KB

Download
memory/3956-38-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-228-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-226-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-37-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/3956-227-0x00007FFDC8810000-0x00007FFDC8820000-memory.dmp

Filesize
64KB

Download
memory/4452-48-0x0000000002550000-0x0000000002605000-memory.dmp

Filesize
724KB

Download
memory/4452-53-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/4452-44-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads