033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c

General

Target

033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe
Size

849KB
MD5

dd7ef9a28e6c7710a15e0237d56f503f
SHA1

25886a0775680d668f9b3aa38bf0419d3c318100
SHA256

033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c
SHA512

712b7159ef442a499b79b08d480f2c15d1eea75cbdc155af2d7ecfc03c502f6cb18cd00db85d48c395e24606027f38f6966b02a5221be28cb9a47ad3f249712f

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ms.word = "C:\\Users\\Admin\\AppData\\Roaming\\WINWORD.EXE"	033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1984 WINWORD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE
1984	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exeWINWORD.EXE

description	pid	process	target process
PID 1864 wrote to memory of 1984	1864	033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe	WINWORD.EXE
PID 1864 wrote to memory of 1984	1864	033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe	WINWORD.EXE
PID 1864 wrote to memory of 1984	1864	033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe	WINWORD.EXE
PID 1864 wrote to memory of 1984	1864	033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe	WINWORD.EXE
PID 1984 wrote to memory of 1572	1984	WINWORD.EXE	splwow64.exe
PID 1984 wrote to memory of 1572	1984	WINWORD.EXE	splwow64.exe
PID 1984 wrote to memory of 1572	1984	WINWORD.EXE	splwow64.exe
PID 1984 wrote to memory of 1572	1984	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe
"C:\Users\Admin\AppData\Local\Temp\033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\033f7c5026b14321459c602761b3895de0631218d63e1104e7a8f891c6d8f32c.exe.doc
MD5
13fa837b598154256b7aca4168752ce6

SHA1
8f087f230e28fa88101d0d5bd2c0c84c094a485b

SHA256
3f91f495051aed0eaf8a03039c824d41a0760f112e944868b24ba7df62c1d581

SHA512
b4358e576b998b0abdef4aaf696d25b2c53d7212d7c32315eca6dfdd58c8615020b9569a954cf9ac0581395932e2f20efdeba2eebd4bcaef6c447ad1268817b8

Download Submit
memory/1572-67-0x0000000000000000-mapping.dmp

Download
memory/1572-68-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1864-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1864-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download
memory/1984-63-0x0000000072F71000-0x0000000072F74000-memory.dmp

Filesize
12KB

Download
memory/1984-64-0x00000000709F1000-0x00000000709F3000-memory.dmp

Filesize
8KB

Download
memory/1984-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1984-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads