798f152cc95e636866b8053c4e3d67c1b99b713470492b596c44249e340cdec8

General

Target

7719da6f63d95f275dc605fca98e8f0d.exe
Size

176KB
MD5

7719da6f63d95f275dc605fca98e8f0d
SHA1

6f65c380342df89726aa91081e093e5cf73ab4ab
SHA256

798f152cc95e636866b8053c4e3d67c1b99b713470492b596c44249e340cdec8
SHA512

dc8360860d81ac5de609edc6210cd6bfaf438893d19052b0268107105022a1481a56d4a7669d5ae164fd7e5f31a102a5f23b1bd419cc972731f4888871470d1e
SSDEEP

3072:tUQjOSAou9Ius7FkDhGul2UVvQook9+vQ2Lyb3Vlso3CqC+Ku4C+vk:qZ99IXkoavQHk9+YYevv3fcC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

microsoftrhelp.exewab32reswindows.exemicrosoftmsdaorar6.1.7600.16385.execagcat10organizer10.0.5099.exe

pid process

2436 microsoftrhelp.exe
1580 wab32reswindows.exe
1272 microsoftmsdaorar6.1.7600.16385.exe
2476 cagcat10organizer10.0.5099.exe

pid	process
2436	microsoftrhelp.exe
1580	wab32reswindows.exe
1272	microsoftmsdaorar6.1.7600.16385.exe
2476	cagcat10organizer10.0.5099.exe

Loads dropped DLL 8 IoCs

Processes:

7719da6f63d95f275dc605fca98e8f0d.exe

pid	process
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7719da6f63d95f275dc605fca98e8f0d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7719da6f63d95f275dc605fca98e8f0d.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sqloledbSystem6.1.7600.163857.0907131255 = "c:\\program files (x86)\\common files\\system\\ole db\\ja-jp\\microsoftmsdaorar6.1.7600.16385.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WindowsMicrosoft = "c:\\program files (x86)\\common files\\system\\ja-jp\\wab32reswindows.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7719da6f63d95f275dc605fca98e8f0d.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftRMicrosoftR = "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\microsoftrhelp.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ClipOrganizer = "c:\\program files (x86)\\microsoft office\\media\\cagcat10\\1033\\cagcat10organizer10.0.5099.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NPPDF32Acrobat = "c:\\program files (x86)\\adobe\\reader 9.0\\reader\\air\\acrobatadobe.exe"	7719da6f63d95f275dc605fca98e8f0d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msadcermsdaprst = "c:\\program files (x86)\\common files\\system\\msadc\\systemoperating.exe"	7719da6f63d95f275dc605fca98e8f0d.exe

Drops file in System32 directory 5 IoCs

Processes:

microsoftrhelp.exewab32reswindows.exemicrosoftmsdaorar6.1.7600.16385.execagcat10organizer10.0.5099.exe7719da6f63d95f275dc605fca98e8f0d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftrhelp.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	wab32reswindows.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftmsdaorar6.1.7600.16385.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	cagcat10organizer10.0.5099.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	7719da6f63d95f275dc605fca98e8f0d.exe

Drops file in Program Files directory 7 IoCs

Processes:

7719da6f63d95f275dc605fca98e8f0d.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\ja-JP\WAB32resWindows.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\Microsoftmsdaorar6.1.7600.16385.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\Microsoftmsdaorar6.1.7600.16385.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\MicrosoftRHelp.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CagCat10Organizer10.0.5099.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\AcrobatAdobe.exe	7719da6f63d95f275dc605fca98e8f0d.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\SystemOperating.exe	7719da6f63d95f275dc605fca98e8f0d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7719da6f63d95f275dc605fca98e8f0d.exe

pid	process
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe
2276	7719da6f63d95f275dc605fca98e8f0d.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7719da6f63d95f275dc605fca98e8f0d.exe

description	pid	process	target process
PID 2276 wrote to memory of 2436	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftrhelp.exe
PID 2276 wrote to memory of 2436	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftrhelp.exe
PID 2276 wrote to memory of 2436	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftrhelp.exe
PID 2276 wrote to memory of 2436	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftrhelp.exe
PID 2276 wrote to memory of 1580	2276	7719da6f63d95f275dc605fca98e8f0d.exe	wab32reswindows.exe
PID 2276 wrote to memory of 1580	2276	7719da6f63d95f275dc605fca98e8f0d.exe	wab32reswindows.exe
PID 2276 wrote to memory of 1580	2276	7719da6f63d95f275dc605fca98e8f0d.exe	wab32reswindows.exe
PID 2276 wrote to memory of 1580	2276	7719da6f63d95f275dc605fca98e8f0d.exe	wab32reswindows.exe
PID 2276 wrote to memory of 1272	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftmsdaorar6.1.7600.16385.exe
PID 2276 wrote to memory of 1272	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftmsdaorar6.1.7600.16385.exe
PID 2276 wrote to memory of 1272	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftmsdaorar6.1.7600.16385.exe
PID 2276 wrote to memory of 1272	2276	7719da6f63d95f275dc605fca98e8f0d.exe	microsoftmsdaorar6.1.7600.16385.exe
PID 2276 wrote to memory of 2476	2276	7719da6f63d95f275dc605fca98e8f0d.exe	cagcat10organizer10.0.5099.exe
PID 2276 wrote to memory of 2476	2276	7719da6f63d95f275dc605fca98e8f0d.exe	cagcat10organizer10.0.5099.exe
PID 2276 wrote to memory of 2476	2276	7719da6f63d95f275dc605fca98e8f0d.exe	cagcat10organizer10.0.5099.exe
PID 2276 wrote to memory of 2476	2276	7719da6f63d95f275dc605fca98e8f0d.exe	cagcat10organizer10.0.5099.exe

C:\Users\Admin\AppData\Local\Temp\7719da6f63d95f275dc605fca98e8f0d.exe
"C:\Users\Admin\AppData\Local\Temp\7719da6f63d95f275dc605fca98e8f0d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276

\??\c:\program files (x86)\common files\microsoft shared\help\1041\microsoftrhelp.exe
"c:\program files (x86)\common files\microsoft shared\help\1041\microsoftrhelp.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2436

\??\c:\program files (x86)\common files\system\ja-jp\wab32reswindows.exe
"c:\program files (x86)\common files\system\ja-jp\wab32reswindows.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580

\??\c:\program files (x86)\common files\system\ole db\ja-jp\microsoftmsdaorar6.1.7600.16385.exe
"c:\program files (x86)\common files\system\ole db\ja-jp\microsoftmsdaorar6.1.7600.16385.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272

\??\c:\program files (x86)\microsoft office\media\cagcat10\1033\cagcat10organizer10.0.5099.exe
"c:\program files (x86)\microsoft office\media\cagcat10\1033\cagcat10organizer10.0.5099.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\CagCat10Organizer10.0.5099.exe
Filesize
176KB

MD5
7719da6f63d95f275dc605fca98e8f0d

SHA1
6f65c380342df89726aa91081e093e5cf73ab4ab

SHA256
798f152cc95e636866b8053c4e3d67c1b99b713470492b596c44249e340cdec8

SHA512
dc8360860d81ac5de609edc6210cd6bfaf438893d19052b0268107105022a1481a56d4a7669d5ae164fd7e5f31a102a5f23b1bd419cc972731f4888871470d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qasCC73.tmp
Filesize
8KB

MD5
e6e265698f2f41d9f51659972d13ecfc

SHA1
0470583e458af4cecf7c357dd57b1e915485a99a

SHA256
ba76715ec8f7ba3f589a74cb981405d06b4cb36506bdd925daf16d6db044db7e

SHA512
5809431dc8a4b762dba0c65de295c74024c841a29230220b3659857cf5890164a9acdbf28d8fabb141bb33d2bb016986b11c28dda33637426d842877acea8b94

Download Submit
memory/1272-244-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1272-494-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1272-243-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1580-157-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1580-158-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1580-378-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2276-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2276-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2276-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2436-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2436-242-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2436-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-333-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-334-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2476-534-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads