8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f

General

Target

c13a7c20e658b8c5f8e2958eaa94331e.exe
Size

2.0MB
MD5

c13a7c20e658b8c5f8e2958eaa94331e
SHA1

9ab3f9aba8a596fbc8fcfd43ef6f59a27476c57b
SHA256

8c9a6379b79aae42de97eddcb6566cdfdeeadb9b1990b217bced4aff87940c7f
SHA512

afc58c261fdee76fc47a91e7b93c345be60e0d3b224098568044808c5d8cc21e52fd6e931861ca27705a091b0fc5430988d3624447c72cc6540c30e9e4faee99
SSDEEP

49152:OFUcx88PWPOpX0SFEPCX/6bsqLZINvfhY+0l6YxTLyGc:O+K88uPCHuayQqu3hY+0l1LyGc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	1620.tmp

Loads dropped DLL 1 IoCs

pid	Process
2260	c13a7c20e658b8c5f8e2958eaa94331e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2992	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1936	1620.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1936	2260	c13a7c20e658b8c5f8e2958eaa94331e.exe	28
PID 2260 wrote to memory of 1936	2260	c13a7c20e658b8c5f8e2958eaa94331e.exe	28
PID 2260 wrote to memory of 1936	2260	c13a7c20e658b8c5f8e2958eaa94331e.exe	28
PID 2260 wrote to memory of 1936	2260	c13a7c20e658b8c5f8e2958eaa94331e.exe	28
PID 1936 wrote to memory of 2992	1936	1620.tmp	29
PID 1936 wrote to memory of 2992	1936	1620.tmp	29
PID 1936 wrote to memory of 2992	1936	1620.tmp	29
PID 1936 wrote to memory of 2992	1936	1620.tmp	29

C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe
"C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\1620.tmp
  "C:\Users\Admin\AppData\Local\Temp\1620.tmp" --splashC:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.exe 4F0951C49151D5AF87F1B0848364C29908503554A2942B5F6EC482F6A58A8EB18503B51AE41E04F8346CA2EA899A2A1B7C15EDB34455F25B3ACE210E0FA01789
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c13a7c20e658b8c5f8e2958eaa94331e.docx

Filesize
19KB

MD5
4046ff080673cffac6529512b8d3bdbb

SHA1
d3cbc39065b7a55e995fa25397da2140bdac80c1

SHA256
f0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680

SHA512
453f70730b7560e3d3e23ddfa0fe74e014753f8b34b45254c1c0cf5fec0546a2b8b109a4f9d096e91711b6d02cb383a7136c2cb7bd6600d0598acf7c90c25418

Download Submit
\Users\Admin\AppData\Local\Temp\1620.tmp

Filesize
2.0MB

MD5
ab2d2f86f77a9666415889702cb7aaed

SHA1
07725b1c322762b7bf01f97e82faea43c70cb5d3

SHA256
219c47b848d5b87356995147a25e6cc6b4313f0293e3bc56e1a545a7e5acf466

SHA512
623100ad1831e1b35f8aaeea9ae076c4a6ff8542114239b0d228250bdda8acca59b1e37249f4e8e9a5249d25e30c39e7eb24852d5977e846bf3dbc39ad22afbf

Download Submit
memory/1936-6-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2260-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/2992-9-0x000000002FA81000-0x000000002FA82000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2992-11-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download
memory/2992-15-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing