d1481688842a4f42c814dbdb746fa2c03b29a5f5e2147589b96d1c913ba1f855

General

Target

1ea06f3296a7feed811e9c94cc6c8fe8.exe
Size

2.0MB
MD5

1ea06f3296a7feed811e9c94cc6c8fe8
SHA1

99b699b20896bb7d9a95caa625c9b6b44fdd7b86
SHA256

d1481688842a4f42c814dbdb746fa2c03b29a5f5e2147589b96d1c913ba1f855
SHA512

4e751eca29c125d9b02269577b8a22e5eab022a8e5e8b900d33dc538eb10f77161c991e169ddbed7910461e1615eee33c36f3ee5d7fdd2a34c4b6a113965885c
SSDEEP

49152:OFUcx88PWPOpX0SFvEgskQk54/EDG+m7yGc:O+K88uPCHpEvvk5wEqH7yGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	68C1.tmp

Loads dropped DLL 1 IoCs

pid	Process
2416	1ea06f3296a7feed811e9c94cc6c8fe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2788	68C1.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2788	2416	1ea06f3296a7feed811e9c94cc6c8fe8.exe	28
PID 2416 wrote to memory of 2788	2416	1ea06f3296a7feed811e9c94cc6c8fe8.exe	28
PID 2416 wrote to memory of 2788	2416	1ea06f3296a7feed811e9c94cc6c8fe8.exe	28
PID 2416 wrote to memory of 2788	2416	1ea06f3296a7feed811e9c94cc6c8fe8.exe	28
PID 2788 wrote to memory of 2784	2788	68C1.tmp	29
PID 2788 wrote to memory of 2784	2788	68C1.tmp	29
PID 2788 wrote to memory of 2784	2788	68C1.tmp	29
PID 2788 wrote to memory of 2784	2788	68C1.tmp	29

C:\Users\Admin\AppData\Local\Temp\1ea06f3296a7feed811e9c94cc6c8fe8.exe
"C:\Users\Admin\AppData\Local\Temp\1ea06f3296a7feed811e9c94cc6c8fe8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\68C1.tmp
  "C:\Users\Admin\AppData\Local\Temp\68C1.tmp" --splashC:\Users\Admin\AppData\Local\Temp\1ea06f3296a7feed811e9c94cc6c8fe8.exe 245F4A445E5DFAEF50F3858A9177F31B5ECFF707F786D771C7194FB2E464517FB7861BD2470B6DEBF5F620D683BF6A71877E5170C0B61E12969480FE56530A08
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ea06f3296a7feed811e9c94cc6c8fe8.docx"
    3⤵
    - Modifies Internet Explorer settings
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ea06f3296a7feed811e9c94cc6c8fe8.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\68C1.tmp

Filesize
638KB

MD5
79146f4b1f5ae838ef649fbc89015100

SHA1
e4c38716b40b89f3e6fa60cd47fc939cbd34da94

SHA256
b021c5de5e98b45148db446be90b8ec8529b0079fcdaa1fedd740671c85eeed6

SHA512
40ac5c5acb4f04bc6ec300967077d026f5fc733c1ee5e507ccfa589797e2f2faa2ab328e10d2d867001b5118582350b421aeb61f6d1099c3498d889160ec4f1c

Download Submit
\Users\Admin\AppData\Local\Temp\68C1.tmp

Filesize
596KB

MD5
c11d46b7efcc78ee19985ca4665407be

SHA1
486e46342df7884b19858f4d2fa0a14770500a66

SHA256
286aa50c2249ff0d127054d7491a5b698a593fa2fb02bb92c90a412d23003b9b

SHA512
a13151029e8a51c8a899a86ba30b28d939833cc289757d79d3dd52c82229857eb3631c33638a0de9907099ea6013ad0d9e54430eb9564cb5f5a13163cbc3f277

Download Submit
memory/2416-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2784-9-0x000000002F0D1000-0x000000002F0D2000-memory.dmp

Filesize
4KB

Download
memory/2784-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2784-11-0x0000000071ACD000-0x0000000071AD8000-memory.dmp

Filesize
44KB

Download
memory/2784-15-0x0000000071ACD000-0x0000000071AD8000-memory.dmp

Filesize
44KB

Download
memory/2788-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing