0d14e531ad3c4ce525c97335186c094791a271e45cc36a04c32724a47f8a10ba

General

Target

2feb872b2d97bfc82d73fe44e1ca8629.exe
Size

2.0MB
MD5

2feb872b2d97bfc82d73fe44e1ca8629
SHA1

0f17d462efecf7b5ed66113eb8ff4325d12fd5cd
SHA256

0d14e531ad3c4ce525c97335186c094791a271e45cc36a04c32724a47f8a10ba
SHA512

647fd42d750c51d672be73a604c65797bf0750ecb466dc4518415edc9f3ad22e1f88fb43ed59d4ba0ace620a16df08e9eda97a257f09a702ebf5a759385aec95
SSDEEP

49152:OFUcx88PWPOpX0SFCKMRwf/9SDckGKXVZ6gX9VzQdVbyGc:O+K88uPCH0nRk/AKKX2gX9VzQfbyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	12C6.tmp

Loads dropped DLL 1 IoCs

pid	Process
2148	2feb872b2d97bfc82d73fe44e1ca8629.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1708	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1632	12C6.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1708	WINWORD.EXE
1708	WINWORD.EXE
1708	WINWORD.EXE
1708	WINWORD.EXE
1708	WINWORD.EXE
1708	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1632	2148	2feb872b2d97bfc82d73fe44e1ca8629.exe	19
PID 2148 wrote to memory of 1632	2148	2feb872b2d97bfc82d73fe44e1ca8629.exe	19
PID 2148 wrote to memory of 1632	2148	2feb872b2d97bfc82d73fe44e1ca8629.exe	19
PID 2148 wrote to memory of 1632	2148	2feb872b2d97bfc82d73fe44e1ca8629.exe	19
PID 1632 wrote to memory of 1708	1632	12C6.tmp	29
PID 1632 wrote to memory of 1708	1632	12C6.tmp	29
PID 1632 wrote to memory of 1708	1632	12C6.tmp	29
PID 1632 wrote to memory of 1708	1632	12C6.tmp	29

C:\Users\Admin\AppData\Local\Temp\2feb872b2d97bfc82d73fe44e1ca8629.exe
"C:\Users\Admin\AppData\Local\Temp\2feb872b2d97bfc82d73fe44e1ca8629.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\12C6.tmp
  "C:\Users\Admin\AppData\Local\Temp\12C6.tmp" --splashC:\Users\Admin\AppData\Local\Temp\2feb872b2d97bfc82d73fe44e1ca8629.exe F00243DA3FB21B47F814A6116A10B4A1E2E2FEA11C39C3B611447B6A7F938F5EF12CCBE5AC61919DE5FC1B111CAC15976CC4593BE9C81755D629EAB8120C1F62
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2feb872b2d97bfc82d73fe44e1ca8629.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12C6.tmp

Filesize
1.0MB

MD5
95bc59a67c0dec36d87b17a21fc9f893

SHA1
a1da63169842057f7e5c0f46195dcc6b00c97689

SHA256
302158f4529bacc8633bd1f2538ce49fceab4dca3241f0b887a55af182f816d8

SHA512
dc72587276bcbfb2f9b1378a07d94fdbff8596ae10f4bd39c2a54435fab918887125a81372b322cd7049e5aac85fdb923938a0a22e0861f24f4f6c15ded83eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2feb872b2d97bfc82d73fe44e1ca8629.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\12C6.tmp

Filesize
1.1MB

MD5
76245221c9c434ce94cf67928d0a6439

SHA1
fd60389bc79b31c0f774acac93708f233fd0b6e4

SHA256
8f6549fa6056cac5e0f89118b20716038615df172a46136903be45c574e2e70c

SHA512
149d6469955072c3dca432b9ffa67ac782c68402eeae59e88b205e1927b415d9a856a2f11a98713fc45e94dae7d34b5c104f2331715defea9f4e10aeb6ca5dfa

Download Submit
memory/1632-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1708-9-0x000000002FDE1000-0x000000002FDE2000-memory.dmp

Filesize
4KB

Download
memory/1708-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1708-11-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2148-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing