11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b

General

Target

11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
Size

151KB
MD5

5b348bf3acb336b3c9dbbd1ce9660f20
SHA1

8aa4f4df37f57c5246bc6c31fd048088a8ff0323
SHA256

11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b
SHA512

731d55c29c8ae315f83ffa65d8211d6aeb5f7a29b66323ed0e82efd36e6bd56c7a947536898740a3d491dae2c1754befc505be14ec0cc6c534821b76a5f9d68c
SSDEEP

3072:7q5UOGKNYWx8ebsrf/EEEG9WFzFUcTc5/0+wmDq+Sg4:+5UO2Ac6Fzal0+wmDGg4

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\Microsoft\Windows\CurrentVersion\run	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\J:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\I:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\H:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\G:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\S:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\Q:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\P:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\W:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\U:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\E:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\T:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\R:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\N:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\Z:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\Y:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\X:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\K:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\F:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\V:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\O:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened (read-only)	\??\L:	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winword.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	winword.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4740	winword.exe
4740	winword.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
1692	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4740	winword.exe
4740	winword.exe
4740	winword.exe
4740	winword.exe
4740	winword.exe
4740	winword.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 4740	1692	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe	81
PID 1692 wrote to memory of 4740	1692	11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe	81

C:\Users\Admin\AppData\Local\Temp\11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe
"C:\Users\Admin\AppData\Local\Temp\11ef342e68a998229d5669a9d886a7d2019f36cd8fcd908e80f83a7898575f9b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Program Files\Microsoft Office\Root\Office16\winword.exe
  "C:\Program Files\Microsoft Office\Root\Office16\winword.exe"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-133-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4740-138-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-134-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-136-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-135-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-137-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-139-0x00007FFC3D500000-0x00007FFC3D510000-memory.dmp

Filesize
64KB

Download
memory/4740-140-0x00007FFC3D500000-0x00007FFC3D510000-memory.dmp

Filesize
64KB

Download
memory/4740-142-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-143-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-144-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download
memory/4740-145-0x00007FFC3FC30000-0x00007FFC3FC40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads