Overview
overview
10Static
static
1001/2015.5.27/01.vir
windows7_x64
301/2015.5.27/01.vir
windows10_x64
3PER-DCOMP-...ao.dll
windows7_x64
1PER-DCOMP-...ao.dll
windows10_x64
101/2015.5.27/03.exe
windows7_x64
801/2015.5.27/03.exe
windows10_x64
801/2015.5.27/04.exe
windows7_x64
101/2015.5.27/04.exe
windows10_x64
101/2015.5.27/05.exe
windows7_x64
1001/2015.5.27/05.exe
windows10_x64
1001/2015.5.27/07.exe
windows7_x64
701/2015.5.27/07.exe
windows10_x64
701/2015.5.27/09.exe
windows7_x64
1001/2015.5.27/09.exe
windows10_x64
1001/2015.5.27/10.exe
windows7_x64
1001/2015.5.27/10.exe
windows10_x64
1001/2015.5.27/12.pdf
windows7_x64
101/2015.5.27/12.pdf
windows10_x64
101/2015.5.27/13.pdf
windows7_x64
101/2015.5.27/13.pdf
windows10_x64
101/2015.5.27/14.exe
windows7_x64
801/2015.5.27/14.exe
windows10_x64
801/2015.5.27/15.dll
windows7_x64
101/2015.5.27/15.dll
windows10_x64
101/2015.5.27/16.rtf
windows7_x64
1001/2015.5.27/16.rtf
windows10_x64
101/2015.5.27/17.pdf
windows7_x64
101/2015.5.27/17.pdf
windows10_x64
101/2015.5.27/18.doc
windows7_x64
101/2015.5.27/18.doc
windows10_x64
1Analysis
-
max time kernel
152s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 13:34
Behavioral task
behavioral1
Sample
01/2015.5.27/01.vir
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
01/2015.5.27/01.vir
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
PER-DCOMP-Intimacao.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PER-DCOMP-Intimacao.dll
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
01/2015.5.27/03.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
01/2015.5.27/03.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
01/2015.5.27/04.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
01/2015.5.27/04.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
01/2015.5.27/05.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
01/2015.5.27/05.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
01/2015.5.27/07.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
01/2015.5.27/07.exe
Resource
win10-en-20211208
Behavioral task
behavioral13
Sample
01/2015.5.27/09.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
01/2015.5.27/09.exe
Resource
win10-en-20211208
Behavioral task
behavioral15
Sample
01/2015.5.27/10.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
01/2015.5.27/10.exe
Resource
win10-en-20211208
Behavioral task
behavioral17
Sample
01/2015.5.27/12.pdf
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
01/2015.5.27/12.pdf
Resource
win10-en-20211208
Behavioral task
behavioral19
Sample
01/2015.5.27/13.pdf
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
01/2015.5.27/13.pdf
Resource
win10-en-20211208
Behavioral task
behavioral21
Sample
01/2015.5.27/14.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
01/2015.5.27/14.exe
Resource
win10-en-20211208
Behavioral task
behavioral23
Sample
01/2015.5.27/15.dll
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
01/2015.5.27/15.dll
Resource
win10-en-20211208
Behavioral task
behavioral25
Sample
01/2015.5.27/16.rtf
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
01/2015.5.27/16.rtf
Resource
win10-en-20211208
Behavioral task
behavioral27
Sample
01/2015.5.27/17.pdf
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
01/2015.5.27/17.pdf
Resource
win10-en-20211208
Behavioral task
behavioral29
Sample
01/2015.5.27/18.doc
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
01/2015.5.27/18.doc
Resource
win10-en-20211208
General
-
Target
01/2015.5.27/16.rtf
-
Size
645KB
-
MD5
4be96ff0f019a966dcf941121d9c4708
-
SHA1
b699d9c175ad5e05cfe32fb4bf560af9d2501df5
-
SHA256
28dc42f7c79bc17885a992211492b5c34cedf62d496dea3e179fcbc553c95a17
-
SHA512
2218b56c96e51f42a31250ae9cae8b1249b919966d30c615ed9488c63b1164820f86108b10c202362e86ccc5a1046f0ccf5fc89f948e65a827d7d606903af777
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CommonFilesMgr = "C:\\ProgramData\\Common Files\\CommonFilesMgr.exe" msiexec.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
~WRX4014.tmppid process 1544 ~WRX4014.tmp -
Loads dropped DLL 1 IoCs
Processes:
~WRX4014.tmppid process 992 ~WRX4014.tmp -
Suspicious use of SetThreadContext 1 IoCs
Processes:
~WRX4014.tmpdescription pid process target process PID 1544 set thread context of 992 1544 ~WRX4014.tmp ~WRX4014.tmp -
Modifies Internet Explorer Phishing Filter 1 TTPs 6 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\PhishingFilter msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" msiexec.exe -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
msiexec.exepid process 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe 920 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 1540 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXE~WRX4014.tmppid process 1540 WINWORD.EXE 1540 WINWORD.EXE 1544 ~WRX4014.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WINWORD.EXE~WRX4014.tmp~WRX4014.tmpdescription pid process target process PID 1540 wrote to memory of 300 1540 WINWORD.EXE splwow64.exe PID 1540 wrote to memory of 300 1540 WINWORD.EXE splwow64.exe PID 1540 wrote to memory of 300 1540 WINWORD.EXE splwow64.exe PID 1540 wrote to memory of 300 1540 WINWORD.EXE splwow64.exe PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 1544 wrote to memory of 992 1544 ~WRX4014.tmp ~WRX4014.tmp PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe PID 992 wrote to memory of 920 992 ~WRX4014.tmp msiexec.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\16.rtf"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:300
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmp"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Adds policy Run key to start application
- Modifies Internet Explorer Phishing Filter
- Suspicious behavior: EnumeratesProcesses
PID:920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmpMD5
b1247bab4bc611e49ae0d3c2b9e8a86b
SHA104476bf6c86e10e651befb2c4733e1ea69e10be0
SHA2561b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6
SHA51299a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmpMD5
b1247bab4bc611e49ae0d3c2b9e8a86b
SHA104476bf6c86e10e651befb2c4733e1ea69e10be0
SHA2561b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6
SHA51299a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRX4014.tmpMD5
b1247bab4bc611e49ae0d3c2b9e8a86b
SHA104476bf6c86e10e651befb2c4733e1ea69e10be0
SHA2561b975ac3b07c179eaa883a217afcb16771de3d5ba4e1c52b82ad60fdb97410a6
SHA51299a81a9d59d6f30a71737abe7b06d88a6a63a314e7b0be0d462532e5ef65555cc9f5370ec67b8d499f116e4db0aaee282925315c949d85c4068889946e0cd5b2
-
memory/300-59-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/920-72-0x0000000000120000-0x0000000000137000-memory.dmpFilesize
92KB
-
memory/992-71-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/992-68-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1540-58-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1540-61-0x00000000070D0000-0x000000000722C000-memory.dmpFilesize
1.4MB
-
memory/1540-60-0x0000000006450000-0x0000000006460000-memory.dmpFilesize
64KB
-
memory/1540-55-0x00000000720C1000-0x00000000720C4000-memory.dmpFilesize
12KB
-
memory/1540-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1540-56-0x000000006FB41000-0x000000006FB43000-memory.dmpFilesize
8KB
-
memory/1544-65-0x00000000003C0000-0x00000000003C2000-memory.dmpFilesize
8KB