6a9029349a53fc4f664ec86fe75ab618e7a76524f7dc2037d9ea0719bba311f8

General

Target

ca99d487a7ff3f5dbadb7abf5513f82d.exe
Size

462KB
MD5

ca99d487a7ff3f5dbadb7abf5513f82d
SHA1

f81f5b4520abe15f6878b656ae7adbcd08852217
SHA256

6a9029349a53fc4f664ec86fe75ab618e7a76524f7dc2037d9ea0719bba311f8
SHA512

fcef575d069015c6646c8b0f47e41eb2bd61ce303d1839096d6a04a9cac653fab56058d8c88d84d40758f06b653ed67e32887c0a25d6e78837750c72fa41e00e
SSDEEP

12288:loJe5X8bz7ZU9qqzVcztzAb1onikQsJuj:loJw8bzK9T31onmsJu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	203D.tmp

Loads dropped DLL 1 IoCs

pid	Process
1704	ca99d487a7ff3f5dbadb7abf5513f82d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1532	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2844	203D.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1532	WINWORD.EXE
1532	WINWORD.EXE
1532	WINWORD.EXE
1532	WINWORD.EXE
1532	WINWORD.EXE
1532	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2844	1704	ca99d487a7ff3f5dbadb7abf5513f82d.exe	28
PID 1704 wrote to memory of 2844	1704	ca99d487a7ff3f5dbadb7abf5513f82d.exe	28
PID 1704 wrote to memory of 2844	1704	ca99d487a7ff3f5dbadb7abf5513f82d.exe	28
PID 1704 wrote to memory of 2844	1704	ca99d487a7ff3f5dbadb7abf5513f82d.exe	28
PID 2844 wrote to memory of 1532	2844	203D.tmp	29
PID 2844 wrote to memory of 1532	2844	203D.tmp	29
PID 2844 wrote to memory of 1532	2844	203D.tmp	29
PID 2844 wrote to memory of 1532	2844	203D.tmp	29

C:\Users\Admin\AppData\Local\Temp\ca99d487a7ff3f5dbadb7abf5513f82d.exe
"C:\Users\Admin\AppData\Local\Temp\ca99d487a7ff3f5dbadb7abf5513f82d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\203D.tmp
  "C:\Users\Admin\AppData\Local\Temp\203D.tmp" --helpC:\Users\Admin\AppData\Local\Temp\ca99d487a7ff3f5dbadb7abf5513f82d.exe 5D2E7ED6BCAA7109E2AD310995A5240773FC0B196DD51E181BD1D4E3C15B7865F5102FFEEC3C9062ADC45BEBFBC4F46B4F266F3851F9707652D108B94EF48BA5
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ca99d487a7ff3f5dbadb7abf5513f82d.docx"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ca99d487a7ff3f5dbadb7abf5513f82d.docx

Filesize
140KB

MD5
e90e498009a13ae957dcde4e01065e7d

SHA1
dcb4cc9b7d1ed3becc625597422d60aaf068a759

SHA256
ca91bbd477e2a516997c48dde3da1a5eae4cad86ca664fea54f0103739073c94

SHA512
4d0868f653e6c57d4011430ab81688f4f039550a9a0b5b1ce5ab1a695cb1dca7d7cdfb1d7c3920c35bbd3a8b441c820f00ae4e71f749650545ddd6894d597766

Download Submit
\Users\Admin\AppData\Local\Temp\203D.tmp

Filesize
462KB

MD5
065e332c2a17bb15c6e84bb71453e05d

SHA1
46a3ab2834b3a5412f36acfbb7f980ddb69cbc35

SHA256
1c626cc9573d405ab44d5186fb8d0a631a35233fdb263536354a81e4a3877018

SHA512
00c739c00a69ce60b6dc8fa18ce814a1cc8cc4e60ed624f9dbebc77a1b063c9d64a0f67d9b5efd71c30edbf3a07a346bfcd6fe5282c92ccd29c106ccb575a61e

Download Submit
memory/1532-7-0x000000002F8C1000-0x000000002F8C2000-memory.dmp

Filesize
4KB

Download
memory/1532-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1532-9-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download
memory/1532-13-0x0000000070C3D000-0x0000000070C48000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing