8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c

General

Target

8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe
Size

27KB
MD5

8a14b82fdbf63695569b3aaa1b76dca3
SHA1

81ea5808fe48d81746b3d28b449fbf87507897f1
SHA256

8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c
SHA512

3d6cd80116e56d1a8a70b4177ca8a6daf89897e2fd54e1bfbf3a5b899011d2404f99d52707758ab3044215f57e78a1fd6709efc4e67ada46aa8a24d113a2ec04
SSDEEP

768:DBu6LUjA/P4t6yeNR78L1yShobJDDLQppv:duAAhcuLWbBLQL

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

msword98.exe

pid process

2188 msword98.exe

pid	process
2188	msword98.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msword98.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msword98 = "C:\\Windows\\system32\\msword98.exe"	msword98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 = "C:\\Users\\Admin\\msword98.exe"	msword98.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe

description ioc process

File created C:\Windows\SysWOW64\msword98.exe 8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

msword98.exe

description pid process target process

PID 2188 set thread context of 2788 2188 msword98.exe svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msword98.exe	8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe

description	pid	process	target process
PID 2188 set thread context of 2788	2188	msword98.exe	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
520	4836	WerFault.exe	8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe
1432	2788	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exemsword98.exe

description	pid	process	target process
PID 4836 wrote to memory of 2188	4836	8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe	msword98.exe
PID 4836 wrote to memory of 2188	4836	8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe	msword98.exe
PID 4836 wrote to memory of 2188	4836	8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe	msword98.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe
PID 2188 wrote to memory of 2788	2188	msword98.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe
"C:\Users\Admin\AppData\Local\Temp\8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\msword98.exe
C:\Windows\system32\msword98.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Writes to the Master Boot Record (MBR)
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 240
4⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 348
2⤵
- Program crash
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 4836
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2788 -ip 2788
1⤵
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msword98.exe
Filesize
27KB

MD5
8a14b82fdbf63695569b3aaa1b76dca3

SHA1
81ea5808fe48d81746b3d28b449fbf87507897f1

SHA256
8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c

SHA512
3d6cd80116e56d1a8a70b4177ca8a6daf89897e2fd54e1bfbf3a5b899011d2404f99d52707758ab3044215f57e78a1fd6709efc4e67ada46aa8a24d113a2ec04

Download Submit
C:\Windows\SysWOW64\msword98.exe
Filesize
27KB

MD5
8a14b82fdbf63695569b3aaa1b76dca3

SHA1
81ea5808fe48d81746b3d28b449fbf87507897f1

SHA256
8dede52db3dcb9bc5d4349b0a7b725bd4b769a34be6f8ba1ffbad8477056ae3c

SHA512
3d6cd80116e56d1a8a70b4177ca8a6daf89897e2fd54e1bfbf3a5b899011d2404f99d52707758ab3044215f57e78a1fd6709efc4e67ada46aa8a24d113a2ec04

Download Submit
memory/2188-142-0x0000000000000000-mapping.dmp

Download
memory/2188-154-0x0000000070000000-0x000000007000D000-memory.dmp

Filesize
52KB

Download
memory/2788-152-0x0000000070000000-0x00000000701FB000-memory.dmp

Filesize
2.0MB

Download
memory/2788-150-0x0000000000000000-mapping.dmp

Download
memory/2788-157-0x0000000070000000-0x00000000701FB000-memory.dmp

Filesize
2.0MB

Download
memory/2788-155-0x0000000070000000-0x00000000701FB000-memory.dmp

Filesize
2.0MB

Download
memory/2788-153-0x0000000070000000-0x00000000701FB000-memory.dmp

Filesize
2.0MB

Download
memory/2788-151-0x0000000070000000-0x00000000701FB000-memory.dmp

Filesize
2.0MB

Download
memory/4836-138-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-135-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-136-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-140-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-137-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-139-0x0000000009100000-0x0000000009109000-memory.dmp

Filesize
36KB

Download
memory/4836-156-0x0000000070000000-0x000000007000D000-memory.dmp

Filesize
52KB

Download
memory/4836-141-0x0000000070000000-0x000000007000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads