421ca9f61f11120a2cca1b98e4916c8b7b1741c3fa9f0d1ee2fad76fd220f683

General

Target

5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe
Size

1.6MB
MD5

5d73dc5f4e82f96dee0ad5bb1df8ebc0
SHA1

066bd5ebd7adc20dffdf3632f3f102b9723b9ace
SHA256

421ca9f61f11120a2cca1b98e4916c8b7b1741c3fa9f0d1ee2fad76fd220f683
SHA512

aebc73b52a27288f2cb1ff70f2673663a2cf421f8678e75bfac6e63127c686d7f29d1c35d2140c5208e772ab19cf36635256ace901c2b7e21d6f29f9ae0497af
SSDEEP

24576:rLILY8Xu/3y8UsG2BgYLicwnkgS0XCHdebUKyZURQ1TgjTc:cYrC8UsGuTwDCHdeQKyZURQ1EjTc

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	WINWORD.EXE
2828	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2828	2208	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe	30
PID 2208 wrote to memory of 2828	2208	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe	30
PID 2208 wrote to memory of 2828	2208	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe	30
PID 2208 wrote to memory of 2828	2208	5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe	30
PID 2828 wrote to memory of 2764	2828	WINWORD.EXE	32
PID 2828 wrote to memory of 2764	2828	WINWORD.EXE	32
PID 2828 wrote to memory of 2764	2828	WINWORD.EXE	32
PID 2828 wrote to memory of 2764	2828	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe
"C:\Users\Admin\AppData\Local\Temp\5d73dc5f4e82f96dee0ad5bb1df8ebc0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5d73dc5f4e82f96dee0ad5bb1df8ebc0N.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2793714289.tmp

Filesize
1.6MB

MD5
5d73dc5f4e82f96dee0ad5bb1df8ebc0

SHA1
066bd5ebd7adc20dffdf3632f3f102b9723b9ace

SHA256
421ca9f61f11120a2cca1b98e4916c8b7b1741c3fa9f0d1ee2fad76fd220f683

SHA512
aebc73b52a27288f2cb1ff70f2673663a2cf421f8678e75bfac6e63127c686d7f29d1c35d2140c5208e772ab19cf36635256ace901c2b7e21d6f29f9ae0497af

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d73dc5f4e82f96dee0ad5bb1df8ebc0N.docx

Filesize
18KB

MD5
1b90caa9a59a72737c055903630d93e9

SHA1
bd449c861f9270f87171690b91b0e038c3ed5ecb

SHA256
aa322ebf7c9cf796040a0e9a8395bb2c95958bce87d4baab1405a34c73b0edec

SHA512
73a4d4b23a21fbd38e4452060ad473b93efa9930520cde1d073509cc9ec37b26b921eacd5b81ba396c8a7f033d2032ebe950d6925868725ad1e81adde6880e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
3928351fea0d7d7abf2a540535faf324

SHA1
8af8bcd570d4237365666b4fa82ab22835383bb0

SHA256
fe8e17be05a73a02469a2a7f32591afacabbe4fa2012ada5cfbbea0f4242c1f3

SHA512
989a42a479532f7942710450bd105d07945d96f9f4f7a7108c0ace5daadef331e5deba653adcfc114616499077d71f095ba695f1d67f6f50eb04feb9856e8ee4

Download Submit
memory/2828-10-0x000000002FF31000-0x000000002FF32000-memory.dmp

Filesize
4KB

Download
memory/2828-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-12-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2828-17-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2828-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads