f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058

General

Target

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
Size

409KB
MD5

ba3916c609c877870cfe6c582d7aa82e
SHA1

4f6583881ea79793e59d1ab58dfcb95d4eb09cca
SHA256

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058
SHA512

709a27fc0dfadb446126d42049c46ac96c0b993f31a0a7c7a7e4745e55111ce904f4bbb296774c9f59fb2ad5e6451572813ab5eb6f0966e65db9067b4eac63ee

Score

8^/10

macro xlm

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1748.tmp

pid process

1220 1748.tmp

pid	process
1220	1748.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc	office_xlm_macros

Loads dropped DLL 1 IoCs

Processes:

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe

pid process

1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

pid	process
1864	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

280 WINWORD.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1748.tmp

pid process

1220 1748.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

280 WINWORD.EXE
280 WINWORD.EXE

pid	process
280	WINWORD.EXE

pid	process
1220	1748.tmp

pid	process
280	WINWORD.EXE
280	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe1748.tmpWINWORD.EXE

description	pid	process	target process
PID 1864 wrote to memory of 1220	1864	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	1748.tmp
PID 1864 wrote to memory of 1220	1864	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	1748.tmp
PID 1864 wrote to memory of 1220	1864	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	1748.tmp
PID 1864 wrote to memory of 1220	1864	f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe	1748.tmp
PID 1220 wrote to memory of 280	1220	1748.tmp	WINWORD.EXE
PID 1220 wrote to memory of 280	1220	1748.tmp	WINWORD.EXE
PID 1220 wrote to memory of 280	1220	1748.tmp	WINWORD.EXE
PID 1220 wrote to memory of 280	1220	1748.tmp	WINWORD.EXE
PID 280 wrote to memory of 676	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 676	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 676	280	WINWORD.EXE	splwow64.exe
PID 280 wrote to memory of 676	280	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
"C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\1748.tmp
"C:\Users\Admin\AppData\Local\Temp\1748.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 32875D8CF24E88E8164CD0FB5F4178E39364B4A21577F553E97E03EBA209FF28F0349B758F902E092BEE7C59412AAD07524E9FBEF223E760A040124B76C5F650
2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:676

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1748.tmp
MD5
0b9478e481e6504375951b839519f1ef

SHA1
6ae661ff46cb1ae78efea25b4591283bc7d0e9bf

SHA256
ff02bc5a540e024b2be60c8abbe507c8c928d324a3e2fad7d7a3b3950e181796

SHA512
5fdb7d7bab1698fb99a124bee6ca23fbdac556b265e0b9189dcc4a4e02a0c781636131756bf77608bcb82376194ed84a2686ae38e4f9422c0da9cad3457c6d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc
MD5
12e57ae08f64353b3c3b3d08681aaaf1

SHA1
36b6aca282497c65d41513b231d247b0187651f1

SHA256
07498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308

SHA512
aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8

Download Submit
\Users\Admin\AppData\Local\Temp\1748.tmp
MD5
0b9478e481e6504375951b839519f1ef

SHA1
6ae661ff46cb1ae78efea25b4591283bc7d0e9bf

SHA256
ff02bc5a540e024b2be60c8abbe507c8c928d324a3e2fad7d7a3b3950e181796

SHA512
5fdb7d7bab1698fb99a124bee6ca23fbdac556b265e0b9189dcc4a4e02a0c781636131756bf77608bcb82376194ed84a2686ae38e4f9422c0da9cad3457c6d3e

Download Submit
memory/280-63-0x0000000000000000-mapping.dmp

Download
memory/280-64-0x0000000072F71000-0x0000000072F74000-memory.dmp

Filesize
12KB

Download
memory/280-65-0x00000000709F1000-0x00000000709F3000-memory.dmp

Filesize
8KB

Download
memory/280-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/280-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/676-69-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1220-60-0x0000000000000000-mapping.dmp

Download
memory/1220-62-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads