2ce8d9063c0843ebbd572b523f331512fb96efc146ab2c698c57a1738779fadd

General

Target

1749fd3d1c2f9a4b7f2c97a203a34a9e.exe
Size

2.0MB
MD5

1749fd3d1c2f9a4b7f2c97a203a34a9e
SHA1

498d0b71a55ff1758ee9e5947c5897c55139a6ab
SHA256

2ce8d9063c0843ebbd572b523f331512fb96efc146ab2c698c57a1738779fadd
SHA512

9b487aaf0f0ce1d32476b8e68205f67c545e607c1900d15034daed66d18bc7f65ecc8763e6ad0d74832c3f9e0d4600c76e19ed63b639e9b54aed4054cd123208
SSDEEP

49152:OFUcx88PWPOpX0SF7KnAUBfxTE9SVS+fl1wxPyGc:O+K88uPCH4n7JTE9K10PyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	FCF5.tmp

Loads dropped DLL 1 IoCs

pid	Process
2924	1749fd3d1c2f9a4b7f2c97a203a34a9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2516	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2988	FCF5.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2516	WINWORD.EXE
2516	WINWORD.EXE
2516	WINWORD.EXE
2516	WINWORD.EXE
2516	WINWORD.EXE
2516	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2988	2924	1749fd3d1c2f9a4b7f2c97a203a34a9e.exe	28
PID 2924 wrote to memory of 2988	2924	1749fd3d1c2f9a4b7f2c97a203a34a9e.exe	28
PID 2924 wrote to memory of 2988	2924	1749fd3d1c2f9a4b7f2c97a203a34a9e.exe	28
PID 2924 wrote to memory of 2988	2924	1749fd3d1c2f9a4b7f2c97a203a34a9e.exe	28
PID 2988 wrote to memory of 2516	2988	FCF5.tmp	29
PID 2988 wrote to memory of 2516	2988	FCF5.tmp	29
PID 2988 wrote to memory of 2516	2988	FCF5.tmp	29
PID 2988 wrote to memory of 2516	2988	FCF5.tmp	29

C:\Users\Admin\AppData\Local\Temp\1749fd3d1c2f9a4b7f2c97a203a34a9e.exe
"C:\Users\Admin\AppData\Local\Temp\1749fd3d1c2f9a4b7f2c97a203a34a9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\FCF5.tmp
  "C:\Users\Admin\AppData\Local\Temp\FCF5.tmp" --splashC:\Users\Admin\AppData\Local\Temp\1749fd3d1c2f9a4b7f2c97a203a34a9e.exe 7773BD4CDFA01E1C2DAD5D874532C4EC45DC8DD9F6C18D06F06FDA3172BD17D17ACA65982456D051D74890E42D444F8E495220BFE5E7EE7136C9B6B9EA97BB5C
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1749fd3d1c2f9a4b7f2c97a203a34a9e.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1749fd3d1c2f9a4b7f2c97a203a34a9e.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCF5.tmp

Filesize
310KB

MD5
0e4cbbfc1ed39d07fc1b01bc0583a5b5

SHA1
10498c294e7fef35ba849f75631a7b6a652809e0

SHA256
4757e5abd60469c72999ce8f07bbc4e7560400f59104f4ea5a8a8f85d89d97af

SHA512
7aee403ce4a7b3271a0f43f37c62a5feabd407013591a121d89b9c2eb8dd6fed7205dfd378855f7d528f8b0d271673d5115ba25670a7324bbcdc26c7d6090dc7

Download Submit
\Users\Admin\AppData\Local\Temp\FCF5.tmp

Filesize
205KB

MD5
67e48ceff60beb0df9dc50fb4e6204e0

SHA1
2458d7544c49755d882335e1c3e440c10071f0f8

SHA256
7c187c0bf5aac54a0f33cc44ad6dea32fdbcbbae60e12d96aeeca345db0f0f64

SHA512
23e936feaffd31c3ed0a3b9bba96d9b86dc70bc31e0e9a2a5f2ee52c1709e1e4531cbc787e6e57632e0f0d98700b12c244edce3a30e6f1c9d91c1666c31eca32

Download Submit
memory/2516-9-0x000000002FDC1000-0x000000002FDC2000-memory.dmp

Filesize
4KB

Download
memory/2516-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2516-11-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2516-15-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2924-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2988-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing