9042220f346408b9f886911ca701bb28c69cdedc6d2ba8c5220f55c3dfcfcfd8

General

Target

f9c2fa757afc334231c4c0a0e1e93a1e.exe
Size

2.0MB
MD5

f9c2fa757afc334231c4c0a0e1e93a1e
SHA1

b125074a087d13689eb5a548cbf57c685a804157
SHA256

9042220f346408b9f886911ca701bb28c69cdedc6d2ba8c5220f55c3dfcfcfd8
SHA512

4a877ebd1d60f8cfa3affcff0317970047370fe462e262f72467491ad7ab500e5bd4b86d5d175f831c9a84050ed56852cf96fb1deb0d1b0af8193072233e1a9b
SSDEEP

49152:OFUcx88PWPOpX0SFtPHwxDbkneb5zW7g1Mjb/JMAr1g6yGc:O+K88uPCHrPHYDDtz6v3/qA5hyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1876	4144.tmp

Loads dropped DLL 1 IoCs

pid	Process
3040	f9c2fa757afc334231c4c0a0e1e93a1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2996	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1876	4144.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE
2996	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1876	3040	f9c2fa757afc334231c4c0a0e1e93a1e.exe	28
PID 3040 wrote to memory of 1876	3040	f9c2fa757afc334231c4c0a0e1e93a1e.exe	28
PID 3040 wrote to memory of 1876	3040	f9c2fa757afc334231c4c0a0e1e93a1e.exe	28
PID 3040 wrote to memory of 1876	3040	f9c2fa757afc334231c4c0a0e1e93a1e.exe	28
PID 1876 wrote to memory of 2996	1876	4144.tmp	29
PID 1876 wrote to memory of 2996	1876	4144.tmp	29
PID 1876 wrote to memory of 2996	1876	4144.tmp	29
PID 1876 wrote to memory of 2996	1876	4144.tmp	29

C:\Users\Admin\AppData\Local\Temp\f9c2fa757afc334231c4c0a0e1e93a1e.exe
"C:\Users\Admin\AppData\Local\Temp\f9c2fa757afc334231c4c0a0e1e93a1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\4144.tmp
  "C:\Users\Admin\AppData\Local\Temp\4144.tmp" --splashC:\Users\Admin\AppData\Local\Temp\f9c2fa757afc334231c4c0a0e1e93a1e.exe 4E6CE41D20FD3A1FBE1FE2F91B6011686C20110E61988C9DDD9458C6CCF3DF6FA737B4069663B8FA6598156757409EA7A5D9FA3F1D9D30A3A684B0B0E19BF783
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f9c2fa757afc334231c4c0a0e1e93a1e.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4144.tmp

Filesize
1.2MB

MD5
992761fc2ab24d063983275ac25d07cf

SHA1
93577797925b2c02c8aa40d8c1cbd594c0f34c7f

SHA256
ab37faa754c9e3e2b1ac63e4d9ec5b74dc238b70c355fcda863a092d6c34191d

SHA512
af7b63a53f694ec361243cf5bf6993559954a7151e97aa63a2f689ce244b6efb68bd1dd97c6f4b74ebb890b36ab51973e0d0eb4eb47a7faeea445cd125a035b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9c2fa757afc334231c4c0a0e1e93a1e.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\4144.tmp

Filesize
1.3MB

MD5
6edbd5862a1a283c3c037d70c5a09223

SHA1
28e9b4758eb5c6045bc5badd16d91bd05b469a88

SHA256
5b1aa0b4c303da124569f85d96f74e99a72d70ced4f80c93f285d9fb7740078f

SHA512
6f756451cc3db508e68f67dcfa88e026fbb1bde00020009ccfb6a9182ffdf638682ed694ee7bba658d7ba36bef27f55d44a1e7fedf9917be4de449ab196ad464

Download Submit
memory/1876-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2996-9-0x000000002F151000-0x000000002F152000-memory.dmp

Filesize
4KB

Download
memory/2996-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2996-11-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/2996-15-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/3040-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing