40094f40c86eb060ed3d9530fb74b2b248a47a51ad7848223995cbaa0d1e13f2

General

Target

1556114ae5d666dbd078178d55b3f8aa.exe
Size

141KB
MD5

1556114ae5d666dbd078178d55b3f8aa
SHA1

5dc91107785d80241ed750c8ca4c7474d2ba05bd
SHA256

40094f40c86eb060ed3d9530fb74b2b248a47a51ad7848223995cbaa0d1e13f2
SHA512

52126e6219f8ca5e44febaaf1e24a8258d5aa6559e40d95eddc53044c0695c8d6c66dc725ea11e317666a5e8ce0ceebd47ba99731d3755a2dd152dc6c285dc7a
SSDEEP

3072:W5yJGaBDcKFP/QCtxydMKNWUWFisaGJC:W59aBwC/QrAfaGw

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

microsoftsystem.exedwtrig20dw20.exeautoshapoffice.exewindowsoperativo.exe

pid process

2480 microsoftsystem.exe
1816 dwtrig20dw20.exe
2124 autoshapoffice.exe
2744 windowsoperativo.exe

pid	process
2480	microsoftsystem.exe
1816	dwtrig20dw20.exe
2124	autoshapoffice.exe
2744	windowsoperativo.exe

Loads dropped DLL 8 IoCs

Processes:

1556114ae5d666dbd078178d55b3f8aa.exe

pid	process
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1556114ae5d666dbd078178d55b3f8aa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\AutoShapOffice = "c:\\program files (x86)\\microsoft office\\media\\office14\\autoshap\\autoshapoffice.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1556114ae5d666dbd078178d55b3f8aa.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\NotificationsReporting6.11.0001.402.0901301553 = "c:\\program files (x86)\\common files\\microsoft shared\\dw\\dwtrig20dw20.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ToolsComRPCChannel = "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoftsystem.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ImagingDevicesPhotoViewer = "c:\\program files (x86)\\windows photo viewer\\it-it\\windowsoperativo.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msadcorSystem = "c:\\program files (x86)\\common files\\system\\msadc\\ja-jp\\msadcersystem.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1556114ae5d666dbd078178d55b3f8aa.exe"	1556114ae5d666dbd078178d55b3f8aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Windowsmsadcfr = "c:\\program files (x86)\\common files\\system\\msadc\\it-it\\windowswindows.exe"	1556114ae5d666dbd078178d55b3f8aa.exe

Drops file in System32 directory 5 IoCs

Processes:

microsoftsystem.exedwtrig20dw20.exeautoshapoffice.exewindowsoperativo.exe1556114ae5d666dbd078178d55b3f8aa.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftsystem.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	dwtrig20dw20.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	autoshapoffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	windowsoperativo.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	1556114ae5d666dbd078178d55b3f8aa.exe

Drops file in Program Files directory 7 IoCs

Processes:

1556114ae5d666dbd078178d55b3f8aa.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\MicrosoftSystem.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\MicrosoftSystem.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Windowsoperativo.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\dwtrig20DW20.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcerSystem.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\WindowsWindows.exe	1556114ae5d666dbd078178d55b3f8aa.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\AUTOSHAPOffice.exe	1556114ae5d666dbd078178d55b3f8aa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1556114ae5d666dbd078178d55b3f8aa.exe

pid	process
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe
2240	1556114ae5d666dbd078178d55b3f8aa.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1556114ae5d666dbd078178d55b3f8aa.exe

description	pid	process	target process
PID 2240 wrote to memory of 2480	2240	1556114ae5d666dbd078178d55b3f8aa.exe	microsoftsystem.exe
PID 2240 wrote to memory of 2480	2240	1556114ae5d666dbd078178d55b3f8aa.exe	microsoftsystem.exe
PID 2240 wrote to memory of 2480	2240	1556114ae5d666dbd078178d55b3f8aa.exe	microsoftsystem.exe
PID 2240 wrote to memory of 2480	2240	1556114ae5d666dbd078178d55b3f8aa.exe	microsoftsystem.exe
PID 2240 wrote to memory of 1816	2240	1556114ae5d666dbd078178d55b3f8aa.exe	dwtrig20dw20.exe
PID 2240 wrote to memory of 1816	2240	1556114ae5d666dbd078178d55b3f8aa.exe	dwtrig20dw20.exe
PID 2240 wrote to memory of 1816	2240	1556114ae5d666dbd078178d55b3f8aa.exe	dwtrig20dw20.exe
PID 2240 wrote to memory of 1816	2240	1556114ae5d666dbd078178d55b3f8aa.exe	dwtrig20dw20.exe
PID 2240 wrote to memory of 2124	2240	1556114ae5d666dbd078178d55b3f8aa.exe	autoshapoffice.exe
PID 2240 wrote to memory of 2124	2240	1556114ae5d666dbd078178d55b3f8aa.exe	autoshapoffice.exe
PID 2240 wrote to memory of 2124	2240	1556114ae5d666dbd078178d55b3f8aa.exe	autoshapoffice.exe
PID 2240 wrote to memory of 2124	2240	1556114ae5d666dbd078178d55b3f8aa.exe	autoshapoffice.exe
PID 2240 wrote to memory of 2744	2240	1556114ae5d666dbd078178d55b3f8aa.exe	windowsoperativo.exe
PID 2240 wrote to memory of 2744	2240	1556114ae5d666dbd078178d55b3f8aa.exe	windowsoperativo.exe
PID 2240 wrote to memory of 2744	2240	1556114ae5d666dbd078178d55b3f8aa.exe	windowsoperativo.exe
PID 2240 wrote to memory of 2744	2240	1556114ae5d666dbd078178d55b3f8aa.exe	windowsoperativo.exe

C:\Users\Admin\AppData\Local\Temp\1556114ae5d666dbd078178d55b3f8aa.exe
"C:\Users\Admin\AppData\Local\Temp\1556114ae5d666dbd078178d55b3f8aa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

\??\c:\program files (x86)\microsoft visual studio 8\common7\ide\publicassemblies\microsoftsystem.exe
"c:\program files (x86)\microsoft visual studio 8\common7\ide\publicassemblies\microsoftsystem.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480

\??\c:\program files (x86)\common files\microsoft shared\dw\dwtrig20dw20.exe
"c:\program files (x86)\common files\microsoft shared\dw\dwtrig20dw20.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816

\??\c:\program files (x86)\microsoft office\media\office14\autoshap\autoshapoffice.exe
"c:\program files (x86)\microsoft office\media\office14\autoshap\autoshapoffice.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124

\??\c:\program files (x86)\windows photo viewer\it-it\windowsoperativo.exe
"c:\program files (x86)\windows photo viewer\it-it\windowsoperativo.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\DW\dwtrig20DW20.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\MicrosoftSystem.exe
Filesize
141KB

MD5
1556114ae5d666dbd078178d55b3f8aa

SHA1
5dc91107785d80241ed750c8ca4c7474d2ba05bd

SHA256
40094f40c86eb060ed3d9530fb74b2b248a47a51ad7848223995cbaa0d1e13f2

SHA512
52126e6219f8ca5e44febaaf1e24a8258d5aa6559e40d95eddc53044c0695c8d6c66dc725ea11e317666a5e8ce0ceebd47ba99731d3755a2dd152dc6c285dc7a

Download Submit
\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\MicrosoftSystem.exe
Filesize
92KB

MD5
3ab4b4cbb25b22308a7343c4c74e73cc

SHA1
741269eb4e3e1ce26cf358a43574d7c40097e5fe

SHA256
28b1c68abbeb3b8c02aa2be56234af940537e28c03375ecc5ae62ef318cdd2cc

SHA512
38619fd8b684196a0bc92fc9fbddaf206f916da4cb3fe9385076aa7535568e37b77851bb9b5440c0ac5394e06bfeedb5a05722d6e2e9ee414ac1c2c39b22fc8d

Download Submit
memory/1816-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1816-158-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2124-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2240-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2240-101-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2240-4-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2480-77-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2480-76-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2744-332-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2744-333-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads