9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0

General

Target

9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe
Size

1.6MB
MD5

9e4ed2fc2e6e8dda280bcd28a7bb2a69
SHA1

ec2619b5bd65c054c28a1a1165c0a5361b8bafeb
SHA256

9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0
SHA512

b702a20cd162603424f132e5367b8eeb1dced5529e48926f0e4cab9589725618f5ea162b903dc7f48f708b17c7b28a90e11ad9c1e815b54d6926434230dfb868
SSDEEP

24576:3LILY8Xu/3y8UsG2BgYLicwnkwCHdebUKyZURQ1TgjTp:wYrC8UsGuTwVCHdeQKyZURQ1EjTp

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2632 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2632 WINWORD.EXE
2632 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2632	WINWORD.EXE

pid	process
2632	WINWORD.EXE
2632	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exeWINWORD.EXE

description	pid	process	target process
PID 2164 wrote to memory of 2632	2164	9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe	WINWORD.EXE
PID 2164 wrote to memory of 2632	2164	9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe	WINWORD.EXE
PID 2164 wrote to memory of 2632	2164	9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe	WINWORD.EXE
PID 2164 wrote to memory of 2632	2164	9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe	WINWORD.EXE
PID 2632 wrote to memory of 2736	2632	WINWORD.EXE	splwow64.exe
PID 2632 wrote to memory of 2736	2632	WINWORD.EXE	splwow64.exe
PID 2632 wrote to memory of 2736	2632	WINWORD.EXE	splwow64.exe
PID 2632 wrote to memory of 2736	2632	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe
"C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.docx"
2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:2736

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1853110900.tmp
Filesize
1.6MB

MD5
9e4ed2fc2e6e8dda280bcd28a7bb2a69

SHA1
ec2619b5bd65c054c28a1a1165c0a5361b8bafeb

SHA256
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0

SHA512
b702a20cd162603424f132e5367b8eeb1dced5529e48926f0e4cab9589725618f5ea162b903dc7f48f708b17c7b28a90e11ad9c1e815b54d6926434230dfb868

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.docx
Filesize
21KB

MD5
8869610891b0191e9746909ca47ab2d8

SHA1
8cb8a15d92c4f21de8d057a50b1947555781b703

SHA256
143e0f9934eeb25d2187e3e36f5dcbf2331266781e83ab9e3f73bbd295e539d5

SHA512
678a1ed385d85709f5205091b03aabde8a4626a1b372911c97d59b60ec38ff4a39098f851d4f07229d2bdd48ee946ab14e010bad961af34588ea3249133870a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
25073cb5939c1a22cbfc4bf81778784b

SHA1
93b18135258190852682d941cb71ca3a87e539e2

SHA256
22880cc1c177f0f38f62976355a94cc1e14a200cffbcda70117964be907247bf

SHA512
e04f489780f123bef6ba4905f667b3c158a8006128855909bb061891393f2a93ad8d774fcf0e78e07f554acd139b9f88b2b04c516936dcce2119385eef6292c3

Download Submit
memory/2632-63-0x000000002F0A0000-0x000000002F1FD000-memory.dmp

Filesize
1.4MB

Download
memory/2632-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2632-65-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2632-77-0x000000002F0A0000-0x000000002F1FD000-memory.dmp

Filesize
1.4MB

Download
memory/2632-78-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download
memory/2632-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2632-101-0x00000000718ED000-0x00000000718F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads