8205159d31de0c9d52254b4e1f826d3bf376ee07fcc0513586a6e825fc5fdba6

General

Target

73fb04d0cd1dadc886e793d72cd883a6.exe
Size

2.0MB
MD5

73fb04d0cd1dadc886e793d72cd883a6
SHA1

79580407fb2831b812a45e5655cdfba76234acfa
SHA256

8205159d31de0c9d52254b4e1f826d3bf376ee07fcc0513586a6e825fc5fdba6
SHA512

4a547d6110365f288e818ce1bd6511f9926f5ef021b88c707c30f002798ce0bf784ee959937b21f747d8a6ebfe23854959d3320a3325b74165b03e07a7f564e9
SSDEEP

49152:OFUcx88PWPOpX0SFD4mxn3SwdymiwPoARGQ8xWmwIJtyGc:O+K88uPCHtCwdhiwvL8ElgyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2180	5698.tmp

Loads dropped DLL 1 IoCs

pid	Process
2536	73fb04d0cd1dadc886e793d72cd883a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2836	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	5698.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2180	2536	73fb04d0cd1dadc886e793d72cd883a6.exe	28
PID 2536 wrote to memory of 2180	2536	73fb04d0cd1dadc886e793d72cd883a6.exe	28
PID 2536 wrote to memory of 2180	2536	73fb04d0cd1dadc886e793d72cd883a6.exe	28
PID 2536 wrote to memory of 2180	2536	73fb04d0cd1dadc886e793d72cd883a6.exe	28
PID 2180 wrote to memory of 2836	2180	5698.tmp	29
PID 2180 wrote to memory of 2836	2180	5698.tmp	29
PID 2180 wrote to memory of 2836	2180	5698.tmp	29
PID 2180 wrote to memory of 2836	2180	5698.tmp	29

C:\Users\Admin\AppData\Local\Temp\73fb04d0cd1dadc886e793d72cd883a6.exe
"C:\Users\Admin\AppData\Local\Temp\73fb04d0cd1dadc886e793d72cd883a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\5698.tmp
  "C:\Users\Admin\AppData\Local\Temp\5698.tmp" --splashC:\Users\Admin\AppData\Local\Temp\73fb04d0cd1dadc886e793d72cd883a6.exe 9246CE1A93ABA8AE4F639A4B5DADC327508C63DFB3300694E719C79C69FD0C6219DB614B19E5E90DE057BD5BC100732A2571E880C3F0C2260B7A27DF9E182DC0
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\73fb04d0cd1dadc886e793d72cd883a6.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5698.tmp

Filesize
1.1MB

MD5
e81c68ef6589092238385adf305d3299

SHA1
f08c75215c8b19d8f43d5a444001ae985fcc01e4

SHA256
fac844c3595794d250ac394e6616fe354e84d5a214f02f828df4d84e9a3b6a63

SHA512
7c172c7ed18ea8288af6c54204fa6b8e474a60b6dd19922995aa0c14ae0cb6062c79565db0d0ce9f8c9ef4a097a492f97046c7e3d55d4f54e4ab3f32c0b15bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\73fb04d0cd1dadc886e793d72cd883a6.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\5698.tmp

Filesize
719KB

MD5
6388c7e8e1618e5aa9aabbd7c683bfd1

SHA1
4b80aa7b1c1f62c038d6ce85d91ec10280acb26e

SHA256
cdb9cb395714e573de06d012cf919ea67911a8bddf00dd23d7d43988aa474bcb

SHA512
915ecad2ab8c9cc482126fca426c52c23e6e39b4ef0ca3734aa201ca95919ac1bd229f1998926fe341a8817e104605e01922f5c246c313bfb34006c7e36fed17

Download Submit
memory/2180-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2536-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2836-9-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download
memory/2836-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2836-11-0x00000000713AD000-0x00000000713B8000-memory.dmp

Filesize
44KB

Download
memory/2836-15-0x00000000713AD000-0x00000000713B8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing