42b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07

General

Target

0720a1760ad35b21d11f219b1296495e.exe
Size

2.4MB
MD5

0720a1760ad35b21d11f219b1296495e
SHA1

b56990e97f273697e8e83970035cddf9882721fd
SHA256

42b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07
SHA512

9daad20d9934e2d8aa441146e4c28bdfb08dfa08d68becf42bb67c7d50a2b8f990a639583ea96b32e142cb99aa672658eb66a28208375aa33c1f573551090328

Score

7^/10

agilenet persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXSTZ.lnk	0720a1760ad35b21d11f219b1296495e.exe

Loads dropped DLL 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

pid process

1100 0720a1760ad35b21d11f219b1296495e.exe

pid	process
1100	0720a1760ad35b21d11f219b1296495e.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1420-64-0x0000000000A30000-0x0000000000A51000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	0720a1760ad35b21d11f219b1296495e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCXSTZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\winnote.exe\""	0720a1760ad35b21d11f219b1296495e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description pid process target process

PID 1420 set thread context of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe

description	pid	process	target process
PID 1420 set thread context of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe

autoit_exe 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1100-68-0x0000000000426BF7-mapping.dmp	autoit_exe
behavioral1/memory/1100-69-0x00000000005E0000-0x0000000000726000-memory.dmp	autoit_exe
behavioral1/memory/1100-74-0x00000000005E0000-0x0000000000726000-memory.dmp	autoit_exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	0720a1760ad35b21d11f219b1296495e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	0720a1760ad35b21d11f219b1296495e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	0720a1760ad35b21d11f219b1296495e.exe

NTFS ADS 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	0720a1760ad35b21d11f219b1296495e.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

740 WINWORD.EXE

pid	process
740	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe0720a1760ad35b21d11f219b1296495e.exe

pid	process
1420	0720a1760ad35b21d11f219b1296495e.exe
1420	0720a1760ad35b21d11f219b1296495e.exe
1420	0720a1760ad35b21d11f219b1296495e.exe
1100	0720a1760ad35b21d11f219b1296495e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

pid process

1100 0720a1760ad35b21d11f219b1296495e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe

description pid process

Token: SeDebugPrivilege 1420 0720a1760ad35b21d11f219b1296495e.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

740 WINWORD.EXE
740 WINWORD.EXE

pid	process
1100	0720a1760ad35b21d11f219b1296495e.exe

description	pid	process
Token: SeDebugPrivilege	1420	0720a1760ad35b21d11f219b1296495e.exe

pid	process
740	WINWORD.EXE
740	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0720a1760ad35b21d11f219b1296495e.exe0720a1760ad35b21d11f219b1296495e.exeWINWORD.EXE

description	pid	process	target process
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1420 wrote to memory of 1100	1420	0720a1760ad35b21d11f219b1296495e.exe	0720a1760ad35b21d11f219b1296495e.exe
PID 1100 wrote to memory of 740	1100	0720a1760ad35b21d11f219b1296495e.exe	WINWORD.EXE
PID 1100 wrote to memory of 740	1100	0720a1760ad35b21d11f219b1296495e.exe	WINWORD.EXE
PID 1100 wrote to memory of 740	1100	0720a1760ad35b21d11f219b1296495e.exe	WINWORD.EXE
PID 1100 wrote to memory of 740	1100	0720a1760ad35b21d11f219b1296495e.exe	WINWORD.EXE
PID 740 wrote to memory of 848	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 848	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 848	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 848	740	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe
"C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe
"C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1100

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JVBXFQ.rtf"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JVBXFQ.rtf
MD5
d295c8b2da0c5e453d9f1a38ce851f38

SHA1
edecdb3f9570c1903ed9f77d21920825403f3f8c

SHA256
9febf652d086e359850c6db8029301729d35723f4e1bc85279ce53fbc32034f4

SHA512
b439accc80b93f575589e37e1774a9815f43281597245feff21466ffd6107325324fc78bb57d431f1b8322c9e125b66e799eac6c75afe37208ae2cf92b805a07

Download Submit
\Users\Admin\AppData\Roaming\Windata\winnote.exe
MD5
0720a1760ad35b21d11f219b1296495e

SHA1
b56990e97f273697e8e83970035cddf9882721fd

SHA256
42b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07

SHA512
9daad20d9934e2d8aa441146e4c28bdfb08dfa08d68becf42bb67c7d50a2b8f990a639583ea96b32e142cb99aa672658eb66a28208375aa33c1f573551090328

Download Submit
memory/740-75-0x0000000000000000-mapping.dmp

Download
memory/740-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/740-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/740-77-0x000000006FB21000-0x000000006FB23000-memory.dmp

Filesize
8KB

Download
memory/740-76-0x00000000720A1000-0x00000000720A4000-memory.dmp

Filesize
12KB

Download
memory/848-83-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/848-82-0x0000000000000000-mapping.dmp

Download
memory/1100-73-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1100-74-0x00000000005E0000-0x0000000000726000-memory.dmp

Filesize
1.3MB

Download
memory/1100-69-0x00000000005E0000-0x0000000000726000-memory.dmp

Filesize
1.3MB

Download
memory/1100-68-0x0000000000426BF7-mapping.dmp

Download
memory/1100-67-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/1420-60-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1420-66-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1420-65-0x0000000002020000-0x000000000202B000-memory.dmp

Filesize
44KB

Download
memory/1420-64-0x0000000000A30000-0x0000000000A51000-memory.dmp

Filesize
132KB

Download
memory/1420-62-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads