3adacca54c6fe4bb905e233e48dffd8f6d03078d3d2d309d40e2e67a04a70db1

General

Target

Нападение на американские космические системы очень д.scr
Size

386KB
MD5

6da437dcce6eaa6b39aedf008142e1d3
SHA1

4114f56826c1d531a8bbffd2d8831d312be6376e
SHA256

9e2c7a431cfb2d446f22e6f45f5344e861bebfad767bbf297b64802f8c17f815
SHA512

67454df95816b1be875ad8d26d0d484c028d4f0438c2d5d28a04edd3be71bcde672a5d1c2945797b5f8325e1e96ef87ab70e952954512598482e51f4c9a55eb3
SSDEEP

6144:otjWxbczG4XMoxnBLFIRTwLhmJpEVxdg0L9JbAnj3wzaAvPaejiA6:oRWNcr8oxn8Urxdg495CjTeSz

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityve.dll"	RasTls.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	fa.exe
616	RasTls.exe

Loads dropped DLL 9 IoCs

pid	Process
2096	Нападение на американские космические системы очень д.scr
2096	Нападение на американские космические системы очень д.scr
2096	Нападение на американские космические системы очень д.scr
2184	fa.exe
2184	fa.exe
2184	fa.exe
2184	fa.exe
616	RasTls.exe
572	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sycmentec.config	RasTls.exe
File opened for modification	C:\Windows\SysWOW64\Sycmentec.config	RasTls.exe
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityve.dll	RasTls.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File created	C:\Windows\system\CERTAPL.DLL	RasTls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2628	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2628	WINWORD.EXE
2628	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2096 wrote to memory of 2628	2096	Нападение на американские космические системы очень д.scr	30
PID 2628 wrote to memory of 1972	2628	WINWORD.EXE	33
PID 2628 wrote to memory of 1972	2628	WINWORD.EXE	33
PID 2628 wrote to memory of 1972	2628	WINWORD.EXE	33
PID 2628 wrote to memory of 1972	2628	WINWORD.EXE	33
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2096 wrote to memory of 2184	2096	Нападение на американские космические системы очень д.scr	34
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35
PID 2184 wrote to memory of 616	2184	fa.exe	35

C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr
"C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.doc"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1972
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.doc

Filesize
37KB

MD5
e1e97cb3e26e55d8ca6f19a1c3d39aaf

SHA1
37464be30a64fa3c28f7617d8411ff202e3d14cd

SHA256
d0c2969339d47e1ff25722d19f18cb3af48286de344a1285438200e7701fd9ff

SHA512
fa9bbc142e206535906ec295acd89e577a06903cc7909dc7e3dfd6b47bac3b692bd23916416149442ee1aaec715ee58a22761f9077e156156f8692a29b1b47f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sycmentec.config

Filesize
57KB

MD5
ada9d0006b5b3d1d3f4cdea0c9d12d0d

SHA1
4e3c575c7a281917ca66d5a07a641f21573cc7b3

SHA256
79c3114d85932d77d4640a7cbe87cceec1e7f3bd3105c140cb708bfd5d330d4d

SHA512
39bcd4100d5b453d30beacee7ae1b7ffc653cc6c4d1ec8746095129f05a6f5fabd49e85c218cebe9bbee041c795349d6a5a17d7d9918d9423d132fc2954d970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\config.dat

Filesize
122B

MD5
0f6be30587d0d0fa5b43b6c44648b2a4

SHA1
7841e2a6691d9a6f5d3aa6a73e3963cc819e9147

SHA256
3d8338dfd2770bba4a6cce7a770a7e32c51fadcc3ad766f9551c564e1920cd0d

SHA512
7ac03cdf3c1bb3810ab8c18d9c7d71d356aca54b620f53e9474267dab9e82f799e0a1c2ff3ef840c143a74e8fc0c4274fe29802e34c1c34eb31e714942deea81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
9b8b4adab3b443a60917419d0d8d7dee

SHA1
ed3aaf97d4aa5954b368cc4e0d99b0c051a97210

SHA256
cb07314014b169d84d7fd3aed26fca9e19ac536d9b701e66286a369fbd25c5a4

SHA512
053644d62ae6cf60fe4596fbce8f0228bdb4d330d52c1936a78da486a9720df15c5a78a2430b00ae4c5b7f0f85f430cecbe959ffb61ac4af4a18e378bdbf1f39

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe

Filesize
287KB

MD5
002b2f7e48edf64d63a0341cc8360732

SHA1
11898d59a788babe573622ab674b1af35209eb3d

SHA256
64fea780db9da58aefae1d9957f1395a3c95124cb25146579a2f054deb7bbfaa

SHA512
951f1bfe51af122422e41ef18ea9efbaeade8d11322a553b33a3a2567ac6a18eddc222a78d2d78d283217e7ebdc2d1012aed1fde2cd9b5858951dd4afcb7b6c0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe

Filesize
105KB

MD5
62944e26b36b1dcace429ae26ba66164

SHA1
2616da1697f7c764ee7fb558887a6a3279861fac

SHA256
f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68

SHA512
e3c366044ac0b4df834b2f05d900cad01bc55b39028984ed3486aa2522e8c226bf9a81952da2c7e4bf0bc2c322d10fe58329e787238bb710a137827927b48d7c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\rastls.dll

Filesize
5KB

MD5
51c90f69491ba5baa5ebf7c6a36aa17b

SHA1
b31c84a648102e30aef25d8a74b8acac89578d4c

SHA256
af494820388f93ee4b7b0eaa28e665bf8e1836f916d9b74df8b14aa02bce5f8b

SHA512
35f581640467e1bbabc7b27f71f70bc90e9e43d6a52c4e7a77bf74e615bd5d9dda06996ca7809d90d5d6a736f9edaa2419cba7b5a438b313c39dcb6609f751bc

Download Submit
\Windows\SysWOW64\FastUserSwitchingCompatibilityve.dll

Filesize
5KB

MD5
d7538b63bb490bc42102b904c399fd13

SHA1
abedfb74af2b67a59c4a8d28b3aedcbf493a1d73

SHA256
703df1768f95b69d6414ad35d078969c53a782d84659a153ff27d320c4c59fb6

SHA512
971f1e90e916e22f7a78d64c6b206b9d64d72d7ec789b85f1874ffa9ece2c8abb2fbcafadb13c301c0eeccdceb8565159b79b9eb3373b6ffb69d4b6a872c5598

Download Submit
memory/572-79-0x0000000000110000-0x000000000012B000-memory.dmp

Filesize
108KB

Download
memory/616-62-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2628-25-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2628-10-0x0000000070ECD000-0x0000000070ED8000-memory.dmp

Filesize
44KB

Download
memory/2628-4-0x000000002FF71000-0x000000002FF72000-memory.dmp

Filesize
4KB

Download
memory/2628-6-0x0000000070ECD000-0x0000000070ED8000-memory.dmp

Filesize
44KB

Download
memory/2628-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing