b94c2f056b77094f19068a7ecc1c59a428b0d6505f8e65f9d8172ebc4e7669c3

General

Target

c05c01fd318b74exeexeexeex.exe
Size

467KB
MD5

c05c01fd318b741f8b17cd6b91d471c8
SHA1

e6ea6ea94fd1ce09d8538386c3d8c7db81857906
SHA256

b94c2f056b77094f19068a7ecc1c59a428b0d6505f8e65f9d8172ebc4e7669c3
SHA512

2013e8c04c648b3476e4fec6fbbe143f035a1a1e3ff0ea374ee9e5c2f777bed039ae120a3be6621f184924a57c6ba057078b81683cb7ab18b35ecd178683ff57
SSDEEP

6144:jFrJxvldL4c5ONK1xgWbd1s79+iSt7KxMgz6Nf3DQB+in9SLeP3QVD0ZKHKrpSGo:Bb4bZudi79LeKxTmrQBzusYDpKZ6Ak

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	2E81.tmp

Loads dropped DLL 1 IoCs

pid	Process
2320	c05c01fd318b74exeexeexeex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3028	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2352	2E81.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3028	WINWORD.EXE
3028	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2352	2320	c05c01fd318b74exeexeexeex.exe	28
PID 2320 wrote to memory of 2352	2320	c05c01fd318b74exeexeexeex.exe	28
PID 2320 wrote to memory of 2352	2320	c05c01fd318b74exeexeexeex.exe	28
PID 2320 wrote to memory of 2352	2320	c05c01fd318b74exeexeexeex.exe	28
PID 2352 wrote to memory of 3028	2352	2E81.tmp	29
PID 2352 wrote to memory of 3028	2352	2E81.tmp	29
PID 2352 wrote to memory of 3028	2352	2E81.tmp	29
PID 2352 wrote to memory of 3028	2352	2E81.tmp	29
PID 3028 wrote to memory of 2024	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2024	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2024	3028	WINWORD.EXE	32
PID 3028 wrote to memory of 2024	3028	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\2E81.tmp
  "C:\Users\Admin\AppData\Local\Temp\2E81.tmp" --helpC:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.exe 59A3802072354818CFC094D11D92AF3C65C8EF7B04F402E64FBB198AB8E87025AF5D5D3BCEC2329B84016CD03175D53A1F7BBF6BC0C03A63110B36197DF24019
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.doc"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2E81.tmp

Filesize
467KB

MD5
f66b25952f27b400372460d8d4ea0bac

SHA1
c9aebc56eed3f5d860eea1bb01cc194c9cd59802

SHA256
a6e34862aeb6711b818c72fb64cd82e3f84ea25c55c748decb128cb9e6c8722d

SHA512
7c16795d9aadc54c276d6ede13e5357bf45f3de0fd696659d3bdfa49c15eaff9cfc18369fbbf3d90ff6c359d6ee0830158163fc83e28f8b07192112ee83007c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c05c01fd318b74exeexeexeex.doc

Filesize
35KB

MD5
a6b03fc9e5439b7504ba08010a960962

SHA1
e93a74f35ac1ed020158642eb1f2087fd31fc7c6

SHA256
b3b306a9618a08a003443e00e8ce2fcb14040775c3aeadc11cf120668e98dff1

SHA512
decbe4fa7eec0833a27acbde8b4de099124aa42e551f710fb615e6fc5aa0056ce9e44fc282e4930b1a669a1e012700b2c79cebc8a7b8ee4c66cfc29c800cddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6093c70ef8fdca5d56d6927ee007cd8b

SHA1
cf29abf2ea7729645d0e3b960d89ae7fb0d3381d

SHA256
1f1c943310c1045d9a4adb591cf326231ff8523adc40f0f380ffc7e1a4a31b8c

SHA512
b2cfb4fadddc7b170df6afcff2ecd52e0fa235f8d522d2f8455c3800ab190d9b28f979ee80a3a2689680edd5d9a5676ce7b39363890d54f4d9106a35ee40b798

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\2E81.tmp

Filesize
467KB

MD5
f66b25952f27b400372460d8d4ea0bac

SHA1
c9aebc56eed3f5d860eea1bb01cc194c9cd59802

SHA256
a6e34862aeb6711b818c72fb64cd82e3f84ea25c55c748decb128cb9e6c8722d

SHA512
7c16795d9aadc54c276d6ede13e5357bf45f3de0fd696659d3bdfa49c15eaff9cfc18369fbbf3d90ff6c359d6ee0830158163fc83e28f8b07192112ee83007c0

Download Submit
memory/3028-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3028-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing