1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64

General

Target

1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe
Size

30KB
MD5

7008b38a43ad8d127a40b84e0b787b28
SHA1

8e5be9675fde81834f49a68e7257a9ac87bbc42a
SHA256

1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64
SHA512

21c62ae32cb6b2fbcadd2475f92cf8c69d673a32239660b28fb3ef61374c603bfeb2e97f5d3b257ef36668cf2245bb78de6ba0f750c243a8ae714e504ee9d58c
SSDEEP

768:qZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqKNPWQHp4:OLsF2Kerc64sTiX2IV0Dhu4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1724	WINWORD.exe
2448	WINWORD.exe

Loads dropped DLL 4 IoCs

pid	Process
2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe
2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe
2120	cmd.exe
2120	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r"	WINWORD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2896	PING.EXE
2636	PING.EXE
2732	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1724	2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe	28
PID 2524 wrote to memory of 1724	2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe	28
PID 2524 wrote to memory of 1724	2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe	28
PID 2524 wrote to memory of 1724	2524	1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe	28
PID 1724 wrote to memory of 2120	1724	WINWORD.exe	29
PID 1724 wrote to memory of 2120	1724	WINWORD.exe	29
PID 1724 wrote to memory of 2120	1724	WINWORD.exe	29
PID 1724 wrote to memory of 2120	1724	WINWORD.exe	29
PID 2120 wrote to memory of 2636	2120	cmd.exe	31
PID 2120 wrote to memory of 2636	2120	cmd.exe	31
PID 2120 wrote to memory of 2636	2120	cmd.exe	31
PID 2120 wrote to memory of 2636	2120	cmd.exe	31
PID 2120 wrote to memory of 2732	2120	cmd.exe	32
PID 2120 wrote to memory of 2732	2120	cmd.exe	32
PID 2120 wrote to memory of 2732	2120	cmd.exe	32
PID 2120 wrote to memory of 2732	2120	cmd.exe	32
PID 2120 wrote to memory of 2896	2120	cmd.exe	33
PID 2120 wrote to memory of 2896	2120	cmd.exe	33
PID 2120 wrote to memory of 2896	2120	cmd.exe	33
PID 2120 wrote to memory of 2896	2120	cmd.exe	33
PID 2120 wrote to memory of 2448	2120	cmd.exe	34
PID 2120 wrote to memory of 2448	2120	cmd.exe	34
PID 2120 wrote to memory of 2448	2120	cmd.exe	34
PID 2120 wrote to memory of 2448	2120	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe
"C:\Users\Admin\AppData\Local\Temp\1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\00002EB6" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2636
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2732
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:2896
  - - C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
      "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\00002EB6

Filesize
30KB

MD5
fe85078fcbbaa057f5148aefd51a04c1

SHA1
cfcc5c12e1aa5668ab54d9072ff0f43022f59bc8

SHA256
160eb33d23b791a6c8c72be2d2086608277ad476a2783f4f758f6dc4fa190eb4

SHA512
d5f6ec89e654d7955b7bf9f00a97e23af569c925dee32e27765bc13e422b415ed9f1ce4ac7fc5ce6f5a4a14328b266c3eee84fd98f484121a11239c863a3b9cd

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
30KB

MD5
7008b38a43ad8d127a40b84e0b787b28

SHA1
8e5be9675fde81834f49a68e7257a9ac87bbc42a

SHA256
1bb61029daa49e90729576632a248ff6197a6f6a5697c4f45b04b5eab2d03d64

SHA512
21c62ae32cb6b2fbcadd2475f92cf8c69d673a32239660b28fb3ef61374c603bfeb2e97f5d3b257ef36668cf2245bb78de6ba0f750c243a8ae714e504ee9d58c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads