eb69a6b553255baaf7c7a05d8ebeaf3e984098f685246bdba3d6513185187083

General

Target

67c6d93d5aa88d338a5ae0918ef98002.exe
Size

2.0MB
MD5

67c6d93d5aa88d338a5ae0918ef98002
SHA1

6c857b3b3b031598bd23e4c8c0308498dda3eb3d
SHA256

eb69a6b553255baaf7c7a05d8ebeaf3e984098f685246bdba3d6513185187083
SHA512

cca00a1932c9b76d67cb508e2213b8c4150248f8b39b22cff100e71c770bb3f85388bb3ca5f16ab7ef36570efa620d6c2adc77965cf34f3958c5a77673eb607d
SSDEEP

49152:OFUcx88PWPOpX0SFPX5du0t3GtH1SRP09k6yGc:O+K88uPCHvL3mSR8q6yGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	FC0B.tmp

Loads dropped DLL 1 IoCs

pid	Process
1732	67c6d93d5aa88d338a5ae0918ef98002.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1992	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	FC0B.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE
1992	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2208	1732	67c6d93d5aa88d338a5ae0918ef98002.exe	22
PID 1732 wrote to memory of 2208	1732	67c6d93d5aa88d338a5ae0918ef98002.exe	22
PID 1732 wrote to memory of 2208	1732	67c6d93d5aa88d338a5ae0918ef98002.exe	22
PID 1732 wrote to memory of 2208	1732	67c6d93d5aa88d338a5ae0918ef98002.exe	22
PID 2208 wrote to memory of 1992	2208	FC0B.tmp	29
PID 2208 wrote to memory of 1992	2208	FC0B.tmp	29
PID 2208 wrote to memory of 1992	2208	FC0B.tmp	29
PID 2208 wrote to memory of 1992	2208	FC0B.tmp	29

C:\Users\Admin\AppData\Local\Temp\67c6d93d5aa88d338a5ae0918ef98002.exe
"C:\Users\Admin\AppData\Local\Temp\67c6d93d5aa88d338a5ae0918ef98002.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\FC0B.tmp
  "C:\Users\Admin\AppData\Local\Temp\FC0B.tmp" --splashC:\Users\Admin\AppData\Local\Temp\67c6d93d5aa88d338a5ae0918ef98002.exe 7789FC83D50AB050591DC614A9FFA2AC9A261AD89DCDC691C71D23AA84BBD00E506E9CC6C7DC8FA50E67A6B8D777F05A7AC2C5E49ACF42891B7E18CB293287B4
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\67c6d93d5aa88d338a5ae0918ef98002.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67c6d93d5aa88d338a5ae0918ef98002.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC0B.tmp

Filesize
127KB

MD5
5895e4e983db9145a4ca19e092b9a8b9

SHA1
1474550e5ebffc164b4cd1f2a10cd6d762c47ab9

SHA256
0ba8c35f27bd19a32e8c3af3530e013af01affb0c173f6dfce60ecb6b2511e6b

SHA512
25e679cbdea6d84d4b9004edf63444f4287cdbf90b5a19903036eff7c02a2ede73971b03f90b9a61536c0775c5a50bd2d3d27aa3fde2dfbfc50ed12ec8471ca8

Download Submit
\Users\Admin\AppData\Local\Temp\FC0B.tmp

Filesize
98KB

MD5
432c17471039e52f5a5a333be3f5a07d

SHA1
7991c45167c9ffa06fe6306c8d9b177ea6d1dd57

SHA256
9be81980a7bcf137b410d57447340299dab7b60088ed86b9a2aeba9860ed696a

SHA512
0277c1a6ae3ab820573637acfc1be0d4f1bd9257c80ead4f55219008eaa077ef474a527e6d0af635a706e9b5187228f785eabd9d90288cbca8c9509a286c780c

Download Submit
memory/1732-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1992-9-0x000000002F961000-0x000000002F962000-memory.dmp

Filesize
4KB

Download
memory/1992-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1992-11-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/1992-15-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2208-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing