141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068

General

Target

141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe
Size

40KB
MD5

81aea8c3fe9df02f22b1b7b24965d850
SHA1

4e43b66c1c54e5cc1274ba202b758c504207ca65
SHA256

141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068
SHA512

36edf22b3353bda36c2baea465bfe48b4558e7f2b6f7193a8db5586753d779d95bc19e511bfe2ec1ea5ea8c8d965e1f48e9fa3e7d5e205e76e3bc3a7b8ecdd91
SSDEEP

768:FZL/0F24lercjO4sTZg5ZLvn2IuWZ0kqNWkr7toH:3LsF2Kerc64sTiX2IV0DRGH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1244	WINWORD.exe
2880	WINWORD.exe

Loads dropped DLL 4 IoCs

pid	Process
2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe
2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe
1060	cmd.exe
1060	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINWORD = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\WINWORD.exe -r"	WINWORD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2808	PING.EXE
1060	cmd.exe
2904	PING.EXE
1932	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2904	PING.EXE
1932	PING.EXE
2808	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1244	2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe	31
PID 2544 wrote to memory of 1244	2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe	31
PID 2544 wrote to memory of 1244	2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe	31
PID 2544 wrote to memory of 1244	2544	141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe	31
PID 1244 wrote to memory of 1060	1244	WINWORD.exe	32
PID 1244 wrote to memory of 1060	1244	WINWORD.exe	32
PID 1244 wrote to memory of 1060	1244	WINWORD.exe	32
PID 1244 wrote to memory of 1060	1244	WINWORD.exe	32
PID 1060 wrote to memory of 2904	1060	cmd.exe	34
PID 1060 wrote to memory of 2904	1060	cmd.exe	34
PID 1060 wrote to memory of 2904	1060	cmd.exe	34
PID 1060 wrote to memory of 2904	1060	cmd.exe	34
PID 1060 wrote to memory of 1932	1060	cmd.exe	35
PID 1060 wrote to memory of 1932	1060	cmd.exe	35
PID 1060 wrote to memory of 1932	1060	cmd.exe	35
PID 1060 wrote to memory of 1932	1060	cmd.exe	35
PID 1060 wrote to memory of 2808	1060	cmd.exe	36
PID 1060 wrote to memory of 2808	1060	cmd.exe	36
PID 1060 wrote to memory of 2808	1060	cmd.exe	36
PID 1060 wrote to memory of 2808	1060	cmd.exe	36
PID 1060 wrote to memory of 2880	1060	cmd.exe	37
PID 1060 wrote to memory of 2880	1060	cmd.exe	37
PID 1060 wrote to memory of 2880	1060	cmd.exe	37
PID 1060 wrote to memory of 2880	1060	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe
"C:\Users\Admin\AppData\Local\Temp\141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" -r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 2&del "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe"&ping 127.0.0.1 -n 2&rename "C:\Users\Admin\AppData\Roaming\Mozilla\00002FF6" WINWORD.exe&ping 127.0.0.1 -n 2&"C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2904
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1932
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2808
  - - C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe
      "C:\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe" \r
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\00002FF6

Filesize
40KB

MD5
4b2ab0c20b12a3922d8b7afb0c8eb6b9

SHA1
a8e6c37e9068039a4a4f18152d5dcaa701ed06b9

SHA256
24c175d07a1fcb66ece2f77467a42677adf8ae1fdd042c1afa0dc6611664f99c

SHA512
3b25dec10e12c6a0111f8c65f33be252ce67291bc1548aebb6de1d83848eb57243c4a2156c746d9a0b5cf48e4847cc85aec8f0fdba856938a71c9ce9ef39a8c0

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\WINWORD.exe

Filesize
40KB

MD5
81aea8c3fe9df02f22b1b7b24965d850

SHA1
4e43b66c1c54e5cc1274ba202b758c504207ca65

SHA256
141460eb52e239ceb6242510477df552b699045b1fea67eb47baaae5165fd068

SHA512
36edf22b3353bda36c2baea465bfe48b4558e7f2b6f7193a8db5586753d779d95bc19e511bfe2ec1ea5ea8c8d965e1f48e9fa3e7d5e205e76e3bc3a7b8ecdd91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads