0f8a5a5baa63e193b8ea02b1308fd729bf080414332a545f7d0b64471ce53d84

General

Target

1e7d14ae814538ab0889465fdf51e611.exe
Size

2.0MB
MD5

1e7d14ae814538ab0889465fdf51e611
SHA1

176249a5d693cdf23ec17a64769fce4032eb0089
SHA256

0f8a5a5baa63e193b8ea02b1308fd729bf080414332a545f7d0b64471ce53d84
SHA512

5ead1be82131fc9776453bb287896c4f2728002696152f8c3a907e70423208084436138874531a7442503059c77822667b31ba6073869716d6706148923d3f18
SSDEEP

49152:OFUcx88PWPOpX0SFtAzAL9giuOH+FnLoK+8AhryGc:O+K88uPCH3AMLjuOH+FBz6ryGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	45D3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3256	45D3.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3256	3952	1e7d14ae814538ab0889465fdf51e611.exe	28
PID 3952 wrote to memory of 3256	3952	1e7d14ae814538ab0889465fdf51e611.exe	28
PID 3952 wrote to memory of 3256	3952	1e7d14ae814538ab0889465fdf51e611.exe	28

C:\Users\Admin\AppData\Local\Temp\1e7d14ae814538ab0889465fdf51e611.exe
"C:\Users\Admin\AppData\Local\Temp\1e7d14ae814538ab0889465fdf51e611.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\45D3.tmp
  "C:\Users\Admin\AppData\Local\Temp\45D3.tmp" --splashC:\Users\Admin\AppData\Local\Temp\1e7d14ae814538ab0889465fdf51e611.exe 7576043CA48D2F0E11B2EF7151CB20A113954649B6FB1E676D7997F39A2D5BC873FDD200DA2C015D95D7535332EA4FBC6073757016F62E7DD2E0E8875C981E9E
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  PID:3256
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e7d14ae814538ab0889465fdf51e611.docx" /o ""
    3⤵
    PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e7d14ae814538ab0889465fdf51e611.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\45D3.tmp

Filesize
92KB

MD5
e8f4ce8d7de9f8059f3c05e5cbabd6f5

SHA1
66f151e4d1eb0a4a3ef518489d801bd975c47bd8

SHA256
552c1ea2a0de4f62a80a26f186d03b626637e5ef1eb47409a208c054bbe7b006

SHA512
0066b3b2c95fd9c3dcbc614497adb5d12b1899ab1379e8d3d920b383c06978086f194bbff83c9190d0663c4cbc10eac2b6b27026c4ef74343aefe42ea5378456

Download Submit
memory/3256-5-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/3952-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/4392-26-0x00007FFDD3E80000-0x00007FFDD3E90000-memory.dmp

Filesize
64KB

Download
memory/4392-21-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-24-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-27-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-31-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-32-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-30-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-29-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-28-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-33-0x00007FFDD3E80000-0x00007FFDD3E90000-memory.dmp

Filesize
64KB

Download
memory/4392-16-0x00007FFDD6310000-0x00007FFDD6320000-memory.dmp

Filesize
64KB

Download
memory/4392-25-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-23-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-22-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-20-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-19-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-18-0x00007FFDD6310000-0x00007FFDD6320000-memory.dmp

Filesize
64KB

Download
memory/4392-17-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-14-0x00007FFDD6310000-0x00007FFDD6320000-memory.dmp

Filesize
64KB

Download
memory/4392-15-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-13-0x00007FFDD6310000-0x00007FFDD6320000-memory.dmp

Filesize
64KB

Download
memory/4392-12-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-11-0x00007FFDD6310000-0x00007FFDD6320000-memory.dmp

Filesize
64KB

Download
memory/4392-46-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download
memory/4392-47-0x00007FFE16290000-0x00007FFE16485000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing