c6e2a2676a36a69e2dbab849944744c8fbcfc8a366d68158ebfe6ee6e13869ef

General

Target

206d066931e30709654f959f63832739.exe
Size

31KB
MD5

206d066931e30709654f959f63832739
SHA1

d594f8a9c9eb1e49bd759a44c76cd976c1db4c63
SHA256

c6e2a2676a36a69e2dbab849944744c8fbcfc8a366d68158ebfe6ee6e13869ef
SHA512

22a3e9a1298473c5fc16060a15f7b168324a6ded23b5165b5ddf7a9b04e4c72de8eb5c1f193418730b4a82604c8b72424dcad480f9a983e5e0b35e8fede98f2b
SSDEEP

768:5pj6z/jZjEGWbqQiBAtCIOgDvY70788MiTZ:76bVERfiB6CngYM88MiTZ

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe rundll32.exe thxr.wgo nwfdtx"	206d066931e30709654f959f63832739.exe

Deletes itself 1 IoCs

pid	Process
1340	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3260	206d066931e30709654f959f63832739.exe
1340	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3748-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3748-6-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\thxr.wgo	206d066931e30709654f959f63832739.exe
File opened for modification	C:\Windows\SysWOW64\thxr.wgo	206d066931e30709654f959f63832739.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3748 set thread context of 3260	3748	206d066931e30709654f959f63832739.exe	19

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\idid	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1108	WINWORD.EXE
1108	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3260	206d066931e30709654f959f63832739.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3748	206d066931e30709654f959f63832739.exe
1108	WINWORD.EXE
1108	WINWORD.EXE
1108	WINWORD.EXE
1108	WINWORD.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3748 wrote to memory of 3260	3748	206d066931e30709654f959f63832739.exe	19
PID 3260 wrote to memory of 1340	3260	206d066931e30709654f959f63832739.exe	99
PID 3260 wrote to memory of 1340	3260	206d066931e30709654f959f63832739.exe	99
PID 3260 wrote to memory of 1340	3260	206d066931e30709654f959f63832739.exe	99

C:\Users\Admin\AppData\Local\Temp\206d066931e30709654f959f63832739.exe
"C:\Users\Admin\AppData\Local\Temp\206d066931e30709654f959f63832739.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\206d066931e30709654f959f63832739.exe
  C:\Users\Admin\AppData\Local\Temp\206d066931e30709654f959f63832739.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Modifies registry class
    PID:1340

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4759.tmp

Filesize
19KB

MD5
ab9bd797d8feac4c493678b512227985

SHA1
4c03492dbce45caae829ed9de4710d0739185b1c

SHA256
361a38c8183138c0b49564eaeb075f0074b60f861c13a7e4344f748f6bd89a1b

SHA512
dc6436c741331b88d464413be2a61f83e3f50490900c8104663c3af4df6c25d97303792c198ea9292799551db47d6c2acab150cc0cd8419d1cb692a3ab21e048

Download Submit
memory/1108-22-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-12-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-14-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-16-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-17-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-21-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-23-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-29-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-31-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-32-0x00007FFE16B80000-0x00007FFE16B90000-memory.dmp

Filesize
64KB

Download
memory/1108-30-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-28-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-27-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-26-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-25-0x00007FFE16B80000-0x00007FFE16B90000-memory.dmp

Filesize
64KB

Download
memory/1108-24-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-20-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-50-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-53-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-19-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-15-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-13-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-11-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-52-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-18-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1108-54-0x00007FFE59270000-0x00007FFE59465000-memory.dmp

Filesize
2.0MB

Download
memory/1108-51-0x00007FFE192F0000-0x00007FFE19300000-memory.dmp

Filesize
64KB

Download
memory/1340-62-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/1340-64-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/3260-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3260-61-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/3748-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3748-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads