ede16809d33515e9189397610f0e580c1016a7cca138823f94e20667f7badf11

General

Target

5e6cc5735d0ade6949c115d0b57853af.exe
Size

2.0MB
MD5

5e6cc5735d0ade6949c115d0b57853af
SHA1

304275ae624aa1a12eac83cda415b4acf9f30533
SHA256

ede16809d33515e9189397610f0e580c1016a7cca138823f94e20667f7badf11
SHA512

af0e18354c211b490797c57de85464ea7b6f2aa412c72c40b6b38f471e1a0e79c4416dd1262df2320f266e7bdd781c0a47777eb46f51c15be11a5b0be13ddc44
SSDEEP

49152:OFUcx88PWPOpX0SFrL5cS/W253ExzI9nzFXNpA1yGc:O+K88uPCHF5cSu7Rop0yGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	3CD2.tmp

Loads dropped DLL 1 IoCs

pid	Process
2540	5e6cc5735d0ade6949c115d0b57853af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1968	3CD2.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE
2804	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1968	2540	5e6cc5735d0ade6949c115d0b57853af.exe	28
PID 2540 wrote to memory of 1968	2540	5e6cc5735d0ade6949c115d0b57853af.exe	28
PID 2540 wrote to memory of 1968	2540	5e6cc5735d0ade6949c115d0b57853af.exe	28
PID 2540 wrote to memory of 1968	2540	5e6cc5735d0ade6949c115d0b57853af.exe	28
PID 1968 wrote to memory of 2804	1968	3CD2.tmp	29
PID 1968 wrote to memory of 2804	1968	3CD2.tmp	29
PID 1968 wrote to memory of 2804	1968	3CD2.tmp	29
PID 1968 wrote to memory of 2804	1968	3CD2.tmp	29

C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe
"C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\3CD2.tmp
  "C:\Users\Admin\AppData\Local\Temp\3CD2.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.exe 07792D10D594188045DEC28DA9E63A78F46511B47AF364F757C7047F2725F38BA686A4644F6B0C1AD8FE51E55E29B91D9E4C7BD622D6FF5F290379185129FA1F
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CD2.tmp

Filesize
527KB

MD5
3036ebb201da302e9fd1f97216e84b6f

SHA1
a3b1007574794e0bcfc4d2d1cad95e4925dec685

SHA256
bebf5783af6ded4b933685bcdba5715eeaec22a2fff65aae1c12a623268e4d1c

SHA512
81d773874b20c58ff17a42f64a4711aa4171889283527f4378634f19153bc6023de00738241d24cc04594918e56fd1377c63d09d591ee0bbfad1e9e035b4ce94

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e6cc5735d0ade6949c115d0b57853af.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\3CD2.tmp

Filesize
1.2MB

MD5
acfaca9d94b44a187e33255767ee3006

SHA1
95204663a94eb6db0fe2c2bf074f5e67f12df154

SHA256
8d46e44fe63521a9f85d1384c4c70cb3be7bb0053dc048c106396dea5bfd1e9a

SHA512
f1839c19b33781932ff25e462b685127e5917f850a7cf0054fc1687110bb52dbba3568053e549d2db0fcbfd55e34ad1229afabe0605f151b6ef983e23b6caf02

Download Submit
memory/1968-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2540-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2804-9-0x000000002F441000-0x000000002F442000-memory.dmp

Filesize
4KB

Download
memory/2804-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-11-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download
memory/2804-15-0x00000000717ED000-0x00000000717F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing