833893e0b65d224d854d17ea1db424a6d32784254c08369c9d7f37147d8b3684

General

Target

21de6b3236e6440e98acf4052779478b.exe
Size

2.0MB
MD5

21de6b3236e6440e98acf4052779478b
SHA1

8b1eaf19f94f0b6c99b1b8ef5dac9872aca94383
SHA256

833893e0b65d224d854d17ea1db424a6d32784254c08369c9d7f37147d8b3684
SHA512

7a67ec22c2356d1e53b8bf236e37f0ea2da7559b88fbeff2da056c0fc05ec8fc8d46d7e630543546db6fd3d8ce70f4dcf1e950b66ecde9e6918fba600231b4c9
SSDEEP

49152:OFUcx88PWPOpX0SFpHOl/r9qnWW/Fm8RgYPyiNeFm9yGc:O+K88uPCHSl9qnWoFm8RgQ5N9yGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	A3BE.tmp

Loads dropped DLL 1 IoCs

pid	Process
2912	21de6b3236e6440e98acf4052779478b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2652	A3BE.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE
2760	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2652	2912	21de6b3236e6440e98acf4052779478b.exe	27
PID 2912 wrote to memory of 2652	2912	21de6b3236e6440e98acf4052779478b.exe	27
PID 2912 wrote to memory of 2652	2912	21de6b3236e6440e98acf4052779478b.exe	27
PID 2912 wrote to memory of 2652	2912	21de6b3236e6440e98acf4052779478b.exe	27
PID 2652 wrote to memory of 2760	2652	A3BE.tmp	28
PID 2652 wrote to memory of 2760	2652	A3BE.tmp	28
PID 2652 wrote to memory of 2760	2652	A3BE.tmp	28
PID 2652 wrote to memory of 2760	2652	A3BE.tmp	28

C:\Users\Admin\AppData\Local\Temp\21de6b3236e6440e98acf4052779478b.exe
"C:\Users\Admin\AppData\Local\Temp\21de6b3236e6440e98acf4052779478b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\A3BE.tmp
  "C:\Users\Admin\AppData\Local\Temp\A3BE.tmp" --splashC:\Users\Admin\AppData\Local\Temp\21de6b3236e6440e98acf4052779478b.exe 461BF27FEE301F024CF769E370C83464A4F70DBBAFAB2E58BAEE0DBFE585AEC2B66A8F488973A570BD5E829C619C9801FB232E52294F9490EC1D6D400CFBE151
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\21de6b3236e6440e98acf4052779478b.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21de6b3236e6440e98acf4052779478b.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3BE.tmp

Filesize
327KB

MD5
7159bea0f1bdf48b9695d761e79e656a

SHA1
3c777cee7b9fd5efaf565d2da3b5f68015bd1ccc

SHA256
c2c0622a9d4873cbc8c2f700feadbe8d50525026c4aed6a3a4e9db876a38c8d0

SHA512
67555937279f409a7bdfc62e7b18db5185bbdc32d206cadc15dc4352078d7dc088d387310c2940d7819c54daa49d3bb7043db929118a489a37d766486335cb6b

Download Submit
\Users\Admin\AppData\Local\Temp\A3BE.tmp

Filesize
1.5MB

MD5
bf4f07b9a4d9a9b2336c334d54584959

SHA1
f6aa4558abfc795814488a5f18456da931e50c4c

SHA256
64ca47869dcb3b8140141127b25c0d59794a4c52bfe2291e0b5262fb889ad48b

SHA512
05d9dd2dcd4e18a80c5b1278c694d69b2caea348da16332a9ee2976edeb64ca653ba8b91feae86439f7e6b04c9c798d50bf779db6faea183072d633e1d309d61

Download Submit
memory/2652-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2760-9-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

Filesize
4KB

Download
memory/2760-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-11-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2760-15-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2912-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing