cc773fa6caca8fd14bc2b054038dcaa627496f233e31c9b51ddc0d7e51d1a79b

General

Target

1796838d573e7ad485ba1f0e65303bf7.exe
Size

2.4MB
MD5

1796838d573e7ad485ba1f0e65303bf7
SHA1

ac213fe761b4755bf5ba97dac99e1bde6a067379
SHA256

cc773fa6caca8fd14bc2b054038dcaa627496f233e31c9b51ddc0d7e51d1a79b
SHA512

f69c929eaa419f935ff5fe5b296e4177921b5bf6d88e53ac86daaf10cd6ff65ce13fbfb2ae1f642dfa94f2b90246e18982f4661b099dd1dbf2485c5cdcc01831

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/756-64-0x0000000000B50000-0x0000000000B71000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe

description pid process target process

PID 756 set thread context of 1328 756 1796838d573e7ad485ba1f0e65303bf7.exe 1796838d573e7ad485ba1f0e65303bf7.exe

description	pid	process	target process
PID 756 set thread context of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1328-67-0x0000000000400000-0x0000000000546000-memory.dmp	autoit_exe
behavioral1/memory/1328-68-0x0000000000426BF7-mapping.dmp	autoit_exe
behavioral1/memory/1328-70-0x0000000000400000-0x0000000000546000-memory.dmp	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	1796838d573e7ad485ba1f0e65303bf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	1796838d573e7ad485ba1f0e65303bf7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	1796838d573e7ad485ba1f0e65303bf7.exe

NTFS ADS 1 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	1796838d573e7ad485ba1f0e65303bf7.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE

pid	process
1720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe1796838d573e7ad485ba1f0e65303bf7.exe

pid	process
756	1796838d573e7ad485ba1f0e65303bf7.exe
756	1796838d573e7ad485ba1f0e65303bf7.exe
756	1796838d573e7ad485ba1f0e65303bf7.exe
1328	1796838d573e7ad485ba1f0e65303bf7.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe

pid process

1328 1796838d573e7ad485ba1f0e65303bf7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe

description pid process

Token: SeDebugPrivilege 756 1796838d573e7ad485ba1f0e65303bf7.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE

pid	process
1328	1796838d573e7ad485ba1f0e65303bf7.exe

description	pid	process
Token: SeDebugPrivilege	756	1796838d573e7ad485ba1f0e65303bf7.exe

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

1796838d573e7ad485ba1f0e65303bf7.exe1796838d573e7ad485ba1f0e65303bf7.exeWINWORD.EXE

description	pid	process	target process
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 756 wrote to memory of 1328	756	1796838d573e7ad485ba1f0e65303bf7.exe	1796838d573e7ad485ba1f0e65303bf7.exe
PID 1328 wrote to memory of 1720	1328	1796838d573e7ad485ba1f0e65303bf7.exe	WINWORD.EXE
PID 1328 wrote to memory of 1720	1328	1796838d573e7ad485ba1f0e65303bf7.exe	WINWORD.EXE
PID 1328 wrote to memory of 1720	1328	1796838d573e7ad485ba1f0e65303bf7.exe	WINWORD.EXE
PID 1328 wrote to memory of 1720	1328	1796838d573e7ad485ba1f0e65303bf7.exe	WINWORD.EXE
PID 1720 wrote to memory of 1468	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 1468	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 1468	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 1468	1720	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\1796838d573e7ad485ba1f0e65303bf7.exe
"C:\Users\Admin\AppData\Local\Temp\1796838d573e7ad485ba1f0e65303bf7.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\1796838d573e7ad485ba1f0e65303bf7.exe
"C:\Users\Admin\AppData\Local\Temp\1796838d573e7ad485ba1f0e65303bf7.exe"
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1328

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SZYLED.rtf"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SZYLED.rtf
MD5
d295c8b2da0c5e453d9f1a38ce851f38

SHA1
edecdb3f9570c1903ed9f77d21920825403f3f8c

SHA256
9febf652d086e359850c6db8029301729d35723f4e1bc85279ce53fbc32034f4

SHA512
b439accc80b93f575589e37e1774a9815f43281597245feff21466ffd6107325324fc78bb57d431f1b8322c9e125b66e799eac6c75afe37208ae2cf92b805a07

Download Submit
memory/756-60-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/756-62-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/756-64-0x0000000000B50000-0x0000000000B71000-memory.dmp

Filesize
132KB

Download
memory/756-65-0x00000000049A0000-0x00000000049AB000-memory.dmp

Filesize
44KB

Download
memory/756-66-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1328-70-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1328-69-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1328-68-0x0000000000426BF7-mapping.dmp

Download
memory/1328-67-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1468-77-0x0000000000000000-mapping.dmp

Download
memory/1468-78-0x000007FEFB701000-0x000007FEFB703000-memory.dmp

Filesize
8KB

Download
memory/1720-71-0x0000000000000000-mapping.dmp

Download
memory/1720-72-0x0000000072201000-0x0000000072204000-memory.dmp

Filesize
12KB

Download
memory/1720-73-0x000000006FC81000-0x000000006FC83000-memory.dmp

Filesize
8KB

Download
memory/1720-74-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads