3adacca54c6fe4bb905e233e48dffd8f6d03078d3d2d309d40e2e67a04a70db1

General

Target

Нападение на американские космические системы очень д.scr
Size

386KB
MD5

6da437dcce6eaa6b39aedf008142e1d3
SHA1

4114f56826c1d531a8bbffd2d8831d312be6376e
SHA256

9e2c7a431cfb2d446f22e6f45f5344e861bebfad767bbf297b64802f8c17f815
SHA512

67454df95816b1be875ad8d26d0d484c028d4f0438c2d5d28a04edd3be71bcde672a5d1c2945797b5f8325e1e96ef87ab70e952954512598482e51f4c9a55eb3
SSDEEP

6144:otjWxbczG4XMoxnBLFIRTwLhmJpEVxdg0L9JbAnj3wzaAvPaejiA6:oRWNcr8oxn8Urxdg495CjTeSz

Score

8^/10

persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibilityve.dll"	RasTls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	Нападение на американские космические системы очень д.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	fa.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	fa.exe
3524	RasTls.exe

Loads dropped DLL 2 IoCs

pid	Process
3524	RasTls.exe
3932	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sycmentec.config	RasTls.exe
File opened for modification	C:\Windows\SysWOW64\Sycmentec.config	RasTls.exe
File created	C:\Windows\SysWOW64\FastUserSwitchingCompatibilityve.dll	RasTls.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system\CERTAPL.DLL	RasTls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	Нападение на американские космические системы очень д.scr

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1420	WINWORD.EXE
1420	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE
1420	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1420	4340	Нападение на американские космические системы очень д.scr	80
PID 4340 wrote to memory of 1420	4340	Нападение на американские космические системы очень д.scr	80
PID 4340 wrote to memory of 2544	4340	Нападение на американские космические системы очень д.scr	86
PID 4340 wrote to memory of 2544	4340	Нападение на американские космические системы очень д.scr	86
PID 4340 wrote to memory of 2544	4340	Нападение на американские космические системы очень д.scr	86
PID 2544 wrote to memory of 3524	2544	fa.exe	87
PID 2544 wrote to memory of 3524	2544	fa.exe	87
PID 2544 wrote to memory of 3524	2544	fa.exe	87

C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr
"C:\Users\Admin\AppData\Local\Temp\Нападение на американские космические системы очень д.scr" /S
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe"
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Loads dropped DLL
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.doc

Filesize
37KB

MD5
e1e97cb3e26e55d8ca6f19a1c3d39aaf

SHA1
37464be30a64fa3c28f7617d8411ff202e3d14cd

SHA256
d0c2969339d47e1ff25722d19f18cb3af48286de344a1285438200e7701fd9ff

SHA512
fa9bbc142e206535906ec295acd89e577a06903cc7909dc7e3dfd6b47bac3b692bd23916416149442ee1aaec715ee58a22761f9077e156156f8692a29b1b47f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fa.exe

Filesize
287KB

MD5
002b2f7e48edf64d63a0341cc8360732

SHA1
11898d59a788babe573622ab674b1af35209eb3d

SHA256
64fea780db9da58aefae1d9957f1395a3c95124cb25146579a2f054deb7bbfaa

SHA512
951f1bfe51af122422e41ef18ea9efbaeade8d11322a553b33a3a2567ac6a18eddc222a78d2d78d283217e7ebdc2d1012aed1fde2cd9b5858951dd4afcb7b6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.dll

Filesize
5KB

MD5
51c90f69491ba5baa5ebf7c6a36aa17b

SHA1
b31c84a648102e30aef25d8a74b8acac89578d4c

SHA256
af494820388f93ee4b7b0eaa28e665bf8e1836f916d9b74df8b14aa02bce5f8b

SHA512
35f581640467e1bbabc7b27f71f70bc90e9e43d6a52c4e7a77bf74e615bd5d9dda06996ca7809d90d5d6a736f9edaa2419cba7b5a438b313c39dcb6609f751bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\RasTls.exe

Filesize
105KB

MD5
62944e26b36b1dcace429ae26ba66164

SHA1
2616da1697f7c764ee7fb558887a6a3279861fac

SHA256
f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68

SHA512
e3c366044ac0b4df834b2f05d900cad01bc55b39028984ed3486aa2522e8c226bf9a81952da2c7e4bf0bc2c322d10fe58329e787238bb710a137827927b48d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Sycmentec.config

Filesize
57KB

MD5
ada9d0006b5b3d1d3f4cdea0c9d12d0d

SHA1
4e3c575c7a281917ca66d5a07a641f21573cc7b3

SHA256
79c3114d85932d77d4640a7cbe87cceec1e7f3bd3105c140cb708bfd5d330d4d

SHA512
39bcd4100d5b453d30beacee7ae1b7ffc653cc6c4d1ec8746095129f05a6f5fabd49e85c218cebe9bbee041c795349d6a5a17d7d9918d9423d132fc2954d970c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\config.dat

Filesize
122B

MD5
0f6be30587d0d0fa5b43b6c44648b2a4

SHA1
7841e2a6691d9a6f5d3aa6a73e3963cc819e9147

SHA256
3d8338dfd2770bba4a6cce7a770a7e32c51fadcc3ad766f9551c564e1920cd0d

SHA512
7ac03cdf3c1bb3810ab8c18d9c7d71d356aca54b620f53e9474267dab9e82f799e0a1c2ff3ef840c143a74e8fc0c4274fe29802e34c1c34eb31e714942deea81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
45199eb3043fb7065d953814de797e4e

SHA1
e446f24da1e3c05d211e864137822646084e794d

SHA256
451a385a63a098e60b7ba8a52af0f78789969166e86ffc51197f42a7f252f606

SHA512
396a9458a480f193bf08718337eada013860f908ef4773f365acf753bc6fcfd8136c6b1d344e9bdd88625e50da80863ddadafbe38742d2554e5617a79cbe76df

Download Submit
C:\Windows\SysWOW64\FastUserSwitchingCompatibilityve.dll

Filesize
5KB

MD5
d7538b63bb490bc42102b904c399fd13

SHA1
abedfb74af2b67a59c4a8d28b3aedcbf493a1d73

SHA256
703df1768f95b69d6414ad35d078969c53a782d84659a153ff27d320c4c59fb6

SHA512
971f1e90e916e22f7a78d64c6b206b9d64d72d7ec789b85f1874ffa9ece2c8abb2fbcafadb13c301c0eeccdceb8565159b79b9eb3373b6ffb69d4b6a872c5598

Download Submit
memory/1420-31-0x00007FFED91B0000-0x00007FFED91C0000-memory.dmp

Filesize
64KB

Download
memory/1420-57-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-18-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-23-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-25-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-26-0x00007FFED91B0000-0x00007FFED91C0000-memory.dmp

Filesize
64KB

Download
memory/1420-24-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-27-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-28-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-30-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-20-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-29-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-22-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-21-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-17-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-19-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-58-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-77-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-76-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-79-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-78-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-80-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-16-0x00007FFF1B190000-0x00007FFF1B385000-memory.dmp

Filesize
2.0MB

Download
memory/1420-12-0x00007FFF1B22D000-0x00007FFF1B22E000-memory.dmp

Filesize
4KB

Download
memory/1420-15-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-13-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-11-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/1420-14-0x00007FFEDB210000-0x00007FFEDB220000-memory.dmp

Filesize
64KB

Download
memory/3524-108-0x0000000000570000-0x000000000058B000-memory.dmp

Filesize
108KB

Download
memory/3932-125-0x0000000000FC0000-0x0000000000FDB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads