fda3e17024fa1bfc3f4af7358c639e5f77a400ab90291f1a1cf6988fe1a531e8

General

Target

637efa15b6dbaeexeexeexeex.exe
Size

467KB
MD5

637efa15b6dbae93ddd0cb9137c09e08
SHA1

98b35aff49353c353675ae9b2a73eb80b34d59a2
SHA256

fda3e17024fa1bfc3f4af7358c639e5f77a400ab90291f1a1cf6988fe1a531e8
SHA512

c84e292dc3313b77e2b56b0d9dad2af05e21a2a22842c341446eb86b7baea1b8f5233f5e7097f46dde84f105a3af5954c97a7360e36c5d056993496a8889b086
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iSt4hB5py1ZW94F3A/AwgPfzVwcBJlwLkB31j5:Bb4bZudi79Lxbpy1ZQ4nrLls8ojmZAk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2184	FFC3.tmp

Loads dropped DLL 1 IoCs

pid	Process
980	637efa15b6dbaeexeexeexeex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
284	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2184	FFC3.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
284	WINWORD.EXE
284	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2184	980	637efa15b6dbaeexeexeexeex.exe	29
PID 980 wrote to memory of 2184	980	637efa15b6dbaeexeexeexeex.exe	29
PID 980 wrote to memory of 2184	980	637efa15b6dbaeexeexeexeex.exe	29
PID 980 wrote to memory of 2184	980	637efa15b6dbaeexeexeexeex.exe	29
PID 2184 wrote to memory of 284	2184	FFC3.tmp	30
PID 2184 wrote to memory of 284	2184	FFC3.tmp	30
PID 2184 wrote to memory of 284	2184	FFC3.tmp	30
PID 2184 wrote to memory of 284	2184	FFC3.tmp	30
PID 284 wrote to memory of 2924	284	WINWORD.EXE	33
PID 284 wrote to memory of 2924	284	WINWORD.EXE	33
PID 284 wrote to memory of 2924	284	WINWORD.EXE	33
PID 284 wrote to memory of 2924	284	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\FFC3.tmp
  "C:\Users\Admin\AppData\Local\Temp\FFC3.tmp" --helpC:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.exe 3809E216DF2C7BF3DDF3E60C96D6E688232338B6588DCB4F9780EE1EEC5C596A4F23F87A469128B456752E640B98E5FC5191CEDBCF9BCAE982114F126EF8E904
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:284
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\637efa15b6dbaeexeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFC3.tmp

Filesize
467KB

MD5
9498b46aec00c2747c1bfa70f5919c52

SHA1
61b500ac846c46980789e05da539245c41ca8b43

SHA256
0f18aea806795fedde5ed82dac8a47101b6c8c5a753f12bff6cc892a40b07ee7

SHA512
40de301b6b7a1a072b808398385631d5050290ffdd593099984a16390396ac7e338eaf7e970ef2165d5e0631f2afb44b627bbf7ded95d7c59eab9c9f14fdc2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
edad749720b090650a44721d0bbf1fee

SHA1
b1f2302168f4e5d08eed0c42eff0c1fabebfedac

SHA256
8057c96f5b82c5728b4ea65007024ba147ce5415c809fe26951e85b3a9600898

SHA512
20d0dfdec587a28deec11bb57496ba56e5a763dfd3ed2f4a60bf51b1db9137de6957b7435ca6c61a61bcfe95e3e1649b015417e02a4cf9994a1bb0f0885c4198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\FFC3.tmp

Filesize
467KB

MD5
9498b46aec00c2747c1bfa70f5919c52

SHA1
61b500ac846c46980789e05da539245c41ca8b43

SHA256
0f18aea806795fedde5ed82dac8a47101b6c8c5a753f12bff6cc892a40b07ee7

SHA512
40de301b6b7a1a072b808398385631d5050290ffdd593099984a16390396ac7e338eaf7e970ef2165d5e0631f2afb44b627bbf7ded95d7c59eab9c9f14fdc2bb

Download Submit
memory/284-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/284-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing