a0ca3b8978db543b2bcac32dcf8082a471e728c2e62fce3738e5b2bdec11239d

General

Target

27f118cf5e3ed554081bde1e0f20a39e.exe
Size

2.0MB
MD5

27f118cf5e3ed554081bde1e0f20a39e
SHA1

3867a8fa62e5c56357c41cc1ef3c2567296b8d14
SHA256

a0ca3b8978db543b2bcac32dcf8082a471e728c2e62fce3738e5b2bdec11239d
SHA512

6887df600ce28bdacdc29dd2b9541a7be7cf89b7e62382bc54c0f4b1ea2ce1d5c1288cf88a694009d744c585e47fb6689bbb2bea8025a71c06a1c3e949e4dadf
SSDEEP

49152:OFUcx88PWPOpX0SFsGoFeLygAO+dEbVFmeasv6g+pyGc:O+K88uPCHCae++dEpaFpyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1672	1A25.tmp

Loads dropped DLL 1 IoCs

pid	Process
1716	27f118cf5e3ed554081bde1e0f20a39e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2204	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1672	1A25.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1672	1716	27f118cf5e3ed554081bde1e0f20a39e.exe	28
PID 1716 wrote to memory of 1672	1716	27f118cf5e3ed554081bde1e0f20a39e.exe	28
PID 1716 wrote to memory of 1672	1716	27f118cf5e3ed554081bde1e0f20a39e.exe	28
PID 1716 wrote to memory of 1672	1716	27f118cf5e3ed554081bde1e0f20a39e.exe	28
PID 1672 wrote to memory of 2204	1672	1A25.tmp	29
PID 1672 wrote to memory of 2204	1672	1A25.tmp	29
PID 1672 wrote to memory of 2204	1672	1A25.tmp	29
PID 1672 wrote to memory of 2204	1672	1A25.tmp	29

C:\Users\Admin\AppData\Local\Temp\27f118cf5e3ed554081bde1e0f20a39e.exe
"C:\Users\Admin\AppData\Local\Temp\27f118cf5e3ed554081bde1e0f20a39e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\1A25.tmp
  "C:\Users\Admin\AppData\Local\Temp\1A25.tmp" --splashC:\Users\Admin\AppData\Local\Temp\27f118cf5e3ed554081bde1e0f20a39e.exe 3BFFEA94ED51B7540AF22224406A772C51708FC7F4BC0ADE8308EADDFEB4DCA3D405D62E1096EB67F82196BBC2AE06EF20E071B3BBC0688F3AA105DC4BBF4317
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27f118cf5e3ed554081bde1e0f20a39e.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1A25.tmp

Filesize
412KB

MD5
0db05455e0ee6c7ce5df4aa32664c97f

SHA1
b32b7474bba054fbfde77a49ccc2e1fe0d09266c

SHA256
7d1dd3a9a3dd4cdf743277e71ec71704d49af6b65f382530ae1e1ae4be38f307

SHA512
968c7c497b7f4d6bf10842c5ede6759eae07e5393ef14a59691a6b5777b4048eb38a9ac83cf3908dc7d6f489292807d52ed7a4975750eafed531f0c1af3c7477

Download Submit
\Users\Admin\AppData\Local\Temp\1A25.tmp

Filesize
149KB

MD5
ea394345ce0595c0e76903acf4a9bef6

SHA1
5b7680449b49d5edd3ddb3544074c0f1d8b6275a

SHA256
9561f5bd6b25541ed695888eee93cad3bd2d50625cf49c5c0693dfc479fb1701

SHA512
1a853ee6ad3470b6e820dd2147983491eeec99ff50df939df28d97bc74564de259948fb5febefbccb3014cae24576185149c239faf55441b77b3f4f3239835b2

Download Submit
memory/1672-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1716-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2204-9-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2204-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-11-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing