76989675a4f01f21b351d6ec0de35c2d7297faeace7f9dec0939d77220bf3b55

General

Target

14ee281d6fcbf4f092b200863c764b47.exe
Size

151KB
MD5

14ee281d6fcbf4f092b200863c764b47
SHA1

bde2bc8333d9134a8e96bb7df6dd3c5e2f94149e
SHA256

76989675a4f01f21b351d6ec0de35c2d7297faeace7f9dec0939d77220bf3b55
SHA512

6d773581df84b00e943fcf69c4f65be4fde9483215e8f3ef56d00061b7e95699e264c746446cf906bc28c7381aee0e6caf143c57d23db56c13ef415b8af5afc8
SSDEEP

3072:EBNhOvgAKe7zblFFJWrfU4cV+w8djJEfhV4Oc6g+Pj:EBNhEgAX7z/HCfcV+w8lJwV+n+b

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	14ee281d6fcbf4f092b200863c764b47.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	14ee281d6fcbf4f092b200863c764b47.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\E:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\W:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\U:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\S:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\O:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\M:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\X:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\Y:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\V:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\T:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\L:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\I:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\K:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\J:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\H:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\Z:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\R:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\Q:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\P:	14ee281d6fcbf4f092b200863c764b47.exe
File opened (read-only)	\??\N:	14ee281d6fcbf4f092b200863c764b47.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	F:\autorun.inf	14ee281d6fcbf4f092b200863c764b47.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE	14ee281d6fcbf4f092b200863c764b47.exe
File opened for modification	C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE	14ee281d6fcbf4f092b200863c764b47.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1936	14ee281d6fcbf4f092b200863c764b47.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2372	1936	14ee281d6fcbf4f092b200863c764b47.exe	16
PID 1936 wrote to memory of 2372	1936	14ee281d6fcbf4f092b200863c764b47.exe	16
PID 1936 wrote to memory of 2372	1936	14ee281d6fcbf4f092b200863c764b47.exe	16
PID 1936 wrote to memory of 2372	1936	14ee281d6fcbf4f092b200863c764b47.exe	16

C:\Users\Admin\AppData\Local\Temp\14ee281d6fcbf4f092b200863c764b47.exe
"C:\Users\Admin\AppData\Local\Temp\14ee281d6fcbf4f092b200863c764b47.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  "C:\Program Files (x86)\Microsoft Office\Office14\winword.exe"
  2⤵
  PID:2372
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Filesize
92KB

MD5
5ebe0701ecc74529d74c1527748772c8

SHA1
15a16e52d590f49dbae514272c8a3db7e8beddbb

SHA256
be2147f4a2c469f7f537eaffccd9306cf1194a44718d928e807bcd5e6ae68619

SHA512
2ae3e03d1ac77c9b860fab494ce10f815bad5c35069e9a7c08416b1a92a45341aa090d3bab926f32c8bd0d4b1f6db67e8b97af4829905e8f1aae50306350419c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE

Filesize
91KB

MD5
e1b2e0b7a17f95da8760f772185f03cc

SHA1
5b863662fcb7c384ef8d8cb384fe9b7fee6a6141

SHA256
d9bd8b1dab1b664de5f39dcaca008df8ee08f1e2693d1e389ea9816105d8ae04

SHA512
97799a957c7cb3a0e561717ae0af5ba0f23fc5dbdfd0a37b848ffe6c9ac85c9d2a67c339f8fed72123fe3784583959848770f0633f8ba4521d814e074762afab

Download Submit
memory/1936-35-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1936-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2372-54-0x0000000005D70000-0x0000000007141000-memory.dmp

Filesize
19.8MB

Download
memory/2372-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-55-0x000000002D310000-0x000000002DCE1000-memory.dmp

Filesize
9.8MB

Download
memory/2372-56-0x000000002FAB0000-0x0000000030E81000-memory.dmp

Filesize
19.8MB

Download
memory/2372-57-0x000000002D440000-0x000000002DE11000-memory.dmp

Filesize
9.8MB

Download
memory/2372-37-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/2372-27-0x000000002F161000-0x000000002F162000-memory.dmp

Filesize
4KB

Download
memory/2372-59-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/2372-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads