442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79

General

Target

442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe
Size

30KB
MD5

8a648b886e5defae42964b0a7e30d20b
SHA1

53c78a76e49f4db374cbf0a47e5cc121d92cd118
SHA256

442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79
SHA512

1fff1b90153d220eb73685361f54564737a865874fc43e4306b8c94c8ba4b0c3b7aa5b6f2df45fd2b2bce43c136e429e6354eb82e85c2c6d41e402a4c0e11d37
SSDEEP

768:qZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqKNPWQHpt:OLsF2Kerc64sTiX2IV0Dhut

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2696	WINWORD.exe
2868	WINWORD.exe

Loads dropped DLL 4 IoCs

pid	Process
2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe
2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe
2628	cmd.exe
2628	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r"	WINWORD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2812	PING.EXE
2672	PING.EXE
2580	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2696	2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe	28
PID 2176 wrote to memory of 2696	2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe	28
PID 2176 wrote to memory of 2696	2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe	28
PID 2176 wrote to memory of 2696	2176	442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe	28
PID 2696 wrote to memory of 2628	2696	WINWORD.exe	29
PID 2696 wrote to memory of 2628	2696	WINWORD.exe	29
PID 2696 wrote to memory of 2628	2696	WINWORD.exe	29
PID 2696 wrote to memory of 2628	2696	WINWORD.exe	29
PID 2628 wrote to memory of 2812	2628	cmd.exe	31
PID 2628 wrote to memory of 2812	2628	cmd.exe	31
PID 2628 wrote to memory of 2812	2628	cmd.exe	31
PID 2628 wrote to memory of 2812	2628	cmd.exe	31
PID 2628 wrote to memory of 2672	2628	cmd.exe	32
PID 2628 wrote to memory of 2672	2628	cmd.exe	32
PID 2628 wrote to memory of 2672	2628	cmd.exe	32
PID 2628 wrote to memory of 2672	2628	cmd.exe	32
PID 2628 wrote to memory of 2580	2628	cmd.exe	33
PID 2628 wrote to memory of 2580	2628	cmd.exe	33
PID 2628 wrote to memory of 2580	2628	cmd.exe	33
PID 2628 wrote to memory of 2580	2628	cmd.exe	33
PID 2628 wrote to memory of 2868	2628	cmd.exe	34
PID 2628 wrote to memory of 2868	2628	cmd.exe	34
PID 2628 wrote to memory of 2868	2628	cmd.exe	34
PID 2628 wrote to memory of 2868	2628	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe
"C:\Users\Admin\AppData\Local\Temp\442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\00007F0F" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2812
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2672
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2580
  - - C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
      "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\00007F0F

Filesize
30KB

MD5
47c8c2c790d4842a180aeaff0f7d758c

SHA1
aa3ed44ab472d8f64ba80e604d5c2330341bd0bb

SHA256
e640d5f50ff95c467dcec39c2f4bcaf2528d37d0375c960ea12bdbfe93352f5c

SHA512
25ae0ed8e92b2e68e17a797c7d4fd5239b7441088c085a8fb2c03888c637d1c67345a2342358ace4a61dea92809d9e6dead605c102637407f483b20b0dddf216

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
30KB

MD5
8a648b886e5defae42964b0a7e30d20b

SHA1
53c78a76e49f4db374cbf0a47e5cc121d92cd118

SHA256
442f89554ded824b48b9612e0f5b6a01dadc3a11f5d83cbb4cc7b752f3c91b79

SHA512
1fff1b90153d220eb73685361f54564737a865874fc43e4306b8c94c8ba4b0c3b7aa5b6f2df45fd2b2bce43c136e429e6354eb82e85c2c6d41e402a4c0e11d37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads