5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a58aab3bd2cfaa86f7557e33b096c905_JC.exe
Size

40KB
MD5

a58aab3bd2cfaa86f7557e33b096c905
SHA1

656e534616387ea872005c8a1263a4303a2a1b03
SHA256

5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701
SHA512

1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435
SSDEEP

768:qZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqKNPWQHpa:OLsF2Kerc64sTiX2IV0Dhua

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2760	WINWORD.exe
2748	WINWORD.exe

Loads dropped DLL 4 IoCs

pid	Process
2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe
2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe
2616	cmd.exe
2616	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r"	WINWORD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2724	PING.EXE
2708	PING.EXE
2644	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2760	2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe	28
PID 2132 wrote to memory of 2760	2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe	28
PID 2132 wrote to memory of 2760	2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe	28
PID 2132 wrote to memory of 2760	2132	a58aab3bd2cfaa86f7557e33b096c905_JC.exe	28
PID 2760 wrote to memory of 2616	2760	WINWORD.exe	29
PID 2760 wrote to memory of 2616	2760	WINWORD.exe	29
PID 2760 wrote to memory of 2616	2760	WINWORD.exe	29
PID 2760 wrote to memory of 2616	2760	WINWORD.exe	29
PID 2616 wrote to memory of 2708	2616	cmd.exe	31
PID 2616 wrote to memory of 2708	2616	cmd.exe	31
PID 2616 wrote to memory of 2708	2616	cmd.exe	31
PID 2616 wrote to memory of 2708	2616	cmd.exe	31
PID 2616 wrote to memory of 2644	2616	cmd.exe	32
PID 2616 wrote to memory of 2644	2616	cmd.exe	32
PID 2616 wrote to memory of 2644	2616	cmd.exe	32
PID 2616 wrote to memory of 2644	2616	cmd.exe	32
PID 2616 wrote to memory of 2724	2616	cmd.exe	33
PID 2616 wrote to memory of 2724	2616	cmd.exe	33
PID 2616 wrote to memory of 2724	2616	cmd.exe	33
PID 2616 wrote to memory of 2724	2616	cmd.exe	33
PID 2616 wrote to memory of 2748	2616	cmd.exe	34
PID 2616 wrote to memory of 2748	2616	cmd.exe	34
PID 2616 wrote to memory of 2748	2616	cmd.exe	34
PID 2616 wrote to memory of 2748	2616	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\a58aab3bd2cfaa86f7557e33b096c905_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a58aab3bd2cfaa86f7557e33b096c905_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\0000070F" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2644
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2724
  - - C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
      "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\0000070F

Filesize
40KB

MD5
bcbada1a62603db72924600482ccb493

SHA1
2186de6a0573d7ba00b52f43eee15d87b3bd62c3

SHA256
b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d

SHA512
8c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
a58aab3bd2cfaa86f7557e33b096c905

SHA1
656e534616387ea872005c8a1263a4303a2a1b03

SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
a58aab3bd2cfaa86f7557e33b096c905

SHA1
656e534616387ea872005c8a1263a4303a2a1b03

SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
a58aab3bd2cfaa86f7557e33b096c905

SHA1
656e534616387ea872005c8a1263a4303a2a1b03

SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
bcbada1a62603db72924600482ccb493

SHA1
2186de6a0573d7ba00b52f43eee15d87b3bd62c3

SHA256
b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d

SHA512
8c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
a58aab3bd2cfaa86f7557e33b096c905

SHA1
656e534616387ea872005c8a1263a4303a2a1b03

SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
a58aab3bd2cfaa86f7557e33b096c905

SHA1
656e534616387ea872005c8a1263a4303a2a1b03

SHA256
5a1e87295730feb49362b6b4468b58f05b1f07bc397ac94f25eda5fc0010a701

SHA512
1fee3268e2de603362b70182905352420fb298eaf10ab57b684bff2a41d3360bb8ae6e35e0391236e28758d88c7dae9a9663108fe161a551aa03ab8bb0c26435

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
bcbada1a62603db72924600482ccb493

SHA1
2186de6a0573d7ba00b52f43eee15d87b3bd62c3

SHA256
b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d

SHA512
8c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
bcbada1a62603db72924600482ccb493

SHA1
2186de6a0573d7ba00b52f43eee15d87b3bd62c3

SHA256
b5cd124181ebbbb001a7cd54504119e9052cf96c6137cb78d7e2eb40843c845d

SHA512
8c8ddfb73484a3e6b38ad92ef32cb6676c8b18794f716e34b79cd8b95acca4e63897dd283fc0d784ff0113460258cf74f23c7ee016682ed03342e461d33e0a8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads