Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
07-08-2023 02:25
Static task
static1
Behavioral task
behavioral1
Sample
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe
Resource
win10v2004-20230703-en
General
-
Target
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe
-
Size
1.6MB
-
MD5
9e4ed2fc2e6e8dda280bcd28a7bb2a69
-
SHA1
ec2619b5bd65c054c28a1a1165c0a5361b8bafeb
-
SHA256
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0
-
SHA512
b702a20cd162603424f132e5367b8eeb1dced5529e48926f0e4cab9589725618f5ea162b903dc7f48f708b17c7b28a90e11ad9c1e815b54d6926434230dfb868
-
SSDEEP
24576:3LILY8Xu/3y8UsG2BgYLicwnkwCHdebUKyZURQ1TgjTp:wYrC8UsGuTwVCHdeQKyZURQ1EjTp
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" 9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2632 WINWORD.EXE 2632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exeWINWORD.EXEdescription pid process target process PID 2164 wrote to memory of 2632 2164 9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe WINWORD.EXE PID 2164 wrote to memory of 2632 2164 9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe WINWORD.EXE PID 2164 wrote to memory of 2632 2164 9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe WINWORD.EXE PID 2164 wrote to memory of 2632 2164 9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe WINWORD.EXE PID 2632 wrote to memory of 2736 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2736 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2736 2632 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2736 2632 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe"C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.docx"2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1853110900.tmpFilesize
1.6MB
MD59e4ed2fc2e6e8dda280bcd28a7bb2a69
SHA1ec2619b5bd65c054c28a1a1165c0a5361b8bafeb
SHA2569d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0
SHA512b702a20cd162603424f132e5367b8eeb1dced5529e48926f0e4cab9589725618f5ea162b903dc7f48f708b17c7b28a90e11ad9c1e815b54d6926434230dfb868
-
C:\Users\Admin\AppData\Local\Temp\9d443259ea8d51ae9526311553ca27292739b41f0e41221e5da8e4680dad86c0.docxFilesize
21KB
MD58869610891b0191e9746909ca47ab2d8
SHA18cb8a15d92c4f21de8d057a50b1947555781b703
SHA256143e0f9934eeb25d2187e3e36f5dcbf2331266781e83ab9e3f73bbd295e539d5
SHA512678a1ed385d85709f5205091b03aabde8a4626a1b372911c97d59b60ec38ff4a39098f851d4f07229d2bdd48ee946ab14e010bad961af34588ea3249133870a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD525073cb5939c1a22cbfc4bf81778784b
SHA193b18135258190852682d941cb71ca3a87e539e2
SHA25622880cc1c177f0f38f62976355a94cc1e14a200cffbcda70117964be907247bf
SHA512e04f489780f123bef6ba4905f667b3c158a8006128855909bb061891393f2a93ad8d774fcf0e78e07f554acd139b9f88b2b04c516936dcce2119385eef6292c3
-
memory/2632-63-0x000000002F0A0000-0x000000002F1FD000-memory.dmpFilesize
1.4MB
-
memory/2632-64-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2632-65-0x00000000718ED000-0x00000000718F8000-memory.dmpFilesize
44KB
-
memory/2632-77-0x000000002F0A0000-0x000000002F1FD000-memory.dmpFilesize
1.4MB
-
memory/2632-78-0x00000000718ED000-0x00000000718F8000-memory.dmpFilesize
44KB
-
memory/2632-100-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2632-101-0x00000000718ED000-0x00000000718F8000-memory.dmpFilesize
44KB