c48c69c6d7ea357ed5372d0f648848787baa3ebf36ca8b8c565833f02af886e0

General

Target

062eecfedbfe097c7a42f699a95b7b00N.exe
Size

1.6MB
MD5

062eecfedbfe097c7a42f699a95b7b00
SHA1

56abd214cbc60748a4ac539bc4f7b00f625b5cf6
SHA256

c48c69c6d7ea357ed5372d0f648848787baa3ebf36ca8b8c565833f02af886e0
SHA512

1c9951d53b0ba871af91e7f27b9ef00a9b0a8420ec83a5cdcda17ea784e20a75924be323214461e59d10ce9c7a4217ed0f40dda657d7be845e3ffa69f7a2ef13
SSDEEP

24576:sLILY8Xu/3y8UsG2BgYLicwnk8CHdebUKyZURQ1TgjTH:bYrC8UsGuTwVCHdeQKyZURQ1EjTH

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	062eecfedbfe097c7a42f699a95b7b00N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	062eecfedbfe097c7a42f699a95b7b00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2900	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	WINWORD.EXE
2900	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2900	3028	062eecfedbfe097c7a42f699a95b7b00N.exe	30
PID 3028 wrote to memory of 2900	3028	062eecfedbfe097c7a42f699a95b7b00N.exe	30
PID 3028 wrote to memory of 2900	3028	062eecfedbfe097c7a42f699a95b7b00N.exe	30
PID 3028 wrote to memory of 2900	3028	062eecfedbfe097c7a42f699a95b7b00N.exe	30
PID 2900 wrote to memory of 2716	2900	WINWORD.EXE	31
PID 2900 wrote to memory of 2716	2900	WINWORD.EXE	31
PID 2900 wrote to memory of 2716	2900	WINWORD.EXE	31
PID 2900 wrote to memory of 2716	2900	WINWORD.EXE	31

C:\Users\Admin\AppData\Local\Temp\062eecfedbfe097c7a42f699a95b7b00N.exe
"C:\Users\Admin\AppData\Local\Temp\062eecfedbfe097c7a42f699a95b7b00N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\062eecfedbfe097c7a42f699a95b7b00N.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\062eecfedbfe097c7a42f699a95b7b00N.doc

Filesize
49KB

MD5
cc1798389875fbc1e9662bf0ce6abbb9

SHA1
03212348ca82a350234688ad8a190054ccab2684

SHA256
0cd2563d439a477a2ecb87ca98d3c4068c0fc0fffa04b2762c27ef9b42769913

SHA512
6fdd0fdfea9d58f36dc386a4a804615fba7d336cec8fed7cf07d1a52a972231a94507ba9e3363dff0c053d505d9ef8cd1ce0c7be2210c9e4170ddf387948667a

Download Submit
C:\Users\Admin\AppData\Local\Temp\239931040.tmp

Filesize
1.6MB

MD5
062eecfedbfe097c7a42f699a95b7b00

SHA1
56abd214cbc60748a4ac539bc4f7b00f625b5cf6

SHA256
c48c69c6d7ea357ed5372d0f648848787baa3ebf36ca8b8c565833f02af886e0

SHA512
1c9951d53b0ba871af91e7f27b9ef00a9b0a8420ec83a5cdcda17ea784e20a75924be323214461e59d10ce9c7a4217ed0f40dda657d7be845e3ffa69f7a2ef13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
8bb472f016d1cca6bd0d4f4647f6e13b

SHA1
c558d2c99f09430b6cc5d53bf4a3042d8d87b45c

SHA256
76b8291bc8b1eb65644394d95e31d3df15247abf211fd0cc27c01f4dbe9b267b

SHA512
16a06871583c3dfa55420937724bbe3d195b45de25f97c4e0f280e8793a6ab8c516f27b14de335eb522d03d57bc7c8b932dea5ad6955f7564fda173ad0d87830

Download Submit
memory/2900-11-0x000000002FBC1000-0x000000002FBC2000-memory.dmp

Filesize
4KB

Download
memory/2900-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2900-13-0x000000007085D000-0x0000000070868000-memory.dmp

Filesize
44KB

Download
memory/2900-21-0x000000007085D000-0x0000000070868000-memory.dmp

Filesize
44KB

Download
memory/2900-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3028-10-0x0000000000090000-0x0000000000230000-memory.dmp

Filesize
1.6MB

Download
memory/3028-22-0x0000000000090000-0x0000000000230000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads