b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2

General

Target

b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe
Size

437KB
MD5

859773f013b331c33b9912518f177881
SHA1

ae6a2f08b46095a9425c0bce997938d2c6a1f6b8
SHA256

b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2
SHA512

955b49828419ec5e3e3520c18ec4d73bc720728aeea358bf591cdb1a0d2cf0a57332aa7e43b75a3a8d85cbd9b17e9e66cf46123971b61e039ed359c56d8a83f7
SSDEEP

3072:7GOX9U0i7k1KdDnPQ5CXjDCofsmos5QvYx4Ove9wm+JuoY46js09/JCly6FfEVpE:iGXiQ0dDnI5CXHCofR536DXohM6lyIo

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4260	WINWORD.EXE
4260	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4260	WINWORD.EXE
4260	WINWORD.EXE
4260	WINWORD.EXE
4260	WINWORD.EXE
4260	WINWORD.EXE
4260	WINWORD.EXE
4260	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4260	4052	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	87
PID 4052 wrote to memory of 4260	4052	b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe	87

C:\Users\Admin\AppData\Local\Temp\b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe
"C:\Users\Admin\AppData\Local\Temp\b19dbf5dfb65ec5d211a7c18a47f2d0a5127009ecda9058a6b95fc95cb7f6ac2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\JobDetail.docx" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
227B

MD5
1d9537de62b62ba338f272e1a5f9435c

SHA1
2616f2d0e0b9f295068473cccd0671fde1064a5c

SHA256
130a8175864385d8b042a1c46fff26f0e5ddbcd7fa346e0686ba5a2bfd561073

SHA512
b0d70b1a0fb9c5daa22b0a8a842e193df39ef45d02f6fc86fb66c678b3e411b1cd02f4ebdcfe2399b414cda9e7908bd2703efc7237bcabe15fc4fe7e5ecd8996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
2242522e7949cf80c07d3162adecb422

SHA1
e74fb659c0b2ca8b840bdfeac81e7d5a968ca0fa

SHA256
98a94417eca1ef2b8a4cbf06f8849017c93e40a503acc3e3ee1594e1ce97ff91

SHA512
c3769b21a3b699fdc828d38aa8c4de06f1449fc9434e2aaf0e49a83e7258d58b9b9b621fb38db0f1e6bd145e0c4271c0cdfb14f9adcac253fed823509ae862ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
128e40af9678f9e2a8f25f2be0ae45b5

SHA1
8b3c9ddd06432abd2811b99778e28cd3f4a26d5e

SHA256
48f479421769344f442d19a1a4496e40aefbb0bb2b5850474d10358b48ebc40d

SHA512
d84b6a59e27be1eaeb618a24ef41972a868c4ba9712fd9b79c393e9dd705dae39239dadede1c84237bcfcdcc6017ec8ec96f715c3fe9fead5a8b3d35084f8cf6

Download Submit
memory/4260-8-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-35-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-5-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-7-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-6-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-0-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-9-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-10-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-11-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-12-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-13-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-14-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-16-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-15-0x00007FFC61190000-0x00007FFC611A0000-memory.dmp

Filesize
64KB

Download
memory/4260-4-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-32-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-17-0x00007FFC61190000-0x00007FFC611A0000-memory.dmp

Filesize
64KB

Download
memory/4260-33-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-34-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-2-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-3-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-1-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-69-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-70-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-71-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-73-0x00007FFC636D0000-0x00007FFC636E0000-memory.dmp

Filesize
64KB

Download
memory/4260-72-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-74-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4260-75-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing