7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debca

General

Target

7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe
Size

1.6MB
MD5

b9d8c894931f136c138074ce80afc2a0
SHA1

d6a58aa7940e3b7680b28c2539817bb3b410892b
SHA256

7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debca
SHA512

1b6002b34c58601ac44a1d1394506693032cad44ac366a599de3b9c549f5d62b0c8e7053a276c000764c52482be1a56effd4f69d1c9c59d544fb3825777f21e2
SSDEEP

24576:DLILY8Xu/3y8UsG2BgYLicwnk+CHdebUKyZURQ1TgjTV:EYrC8UsGuTwXCHdeQKyZURQ1EjTV

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3060	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3060	WINWORD.EXE
3060	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3060	2672	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe	30
PID 2672 wrote to memory of 3060	2672	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe	30
PID 2672 wrote to memory of 3060	2672	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe	30
PID 2672 wrote to memory of 3060	2672	7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe	30
PID 3060 wrote to memory of 2360	3060	WINWORD.EXE	32
PID 3060 wrote to memory of 2360	3060	WINWORD.EXE	32
PID 3060 wrote to memory of 2360	3060	WINWORD.EXE	32
PID 3060 wrote to memory of 2360	3060	WINWORD.EXE	32

C:\Users\Admin\AppData\Local\Temp\7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe
"C:\Users\Admin\AppData\Local\Temp\7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debcaN.docx

Filesize
15KB

MD5
f0318b575cd6b3184a92dfb8ae4d45b7

SHA1
ca9b8d825b5c0475f62d2ea9e1c089912396b463

SHA256
862c64f04704c12835c55b51f8ab694d5f5f01d5528688901bcbcf03ce84d7ca

SHA512
ebb4b6e58ff27cca88a45ea2b4943c15048ca99c034d760badf1611174aee2e195ba9b0335abbcde8f8e692068000cf260e4e691523b28de097628927d6e1bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\852510552.tmp

Filesize
1.6MB

MD5
b9d8c894931f136c138074ce80afc2a0

SHA1
d6a58aa7940e3b7680b28c2539817bb3b410892b

SHA256
7c270bddafb59b7943dc6c9eda21965578e2ac7455df5a2cf5335e6f0a7debca

SHA512
1b6002b34c58601ac44a1d1394506693032cad44ac366a599de3b9c549f5d62b0c8e7053a276c000764c52482be1a56effd4f69d1c9c59d544fb3825777f21e2

Download Submit
memory/3060-10-0x000000002F0D1000-0x000000002F0D2000-memory.dmp

Filesize
4KB

Download
memory/3060-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3060-12-0x000000007129D000-0x00000000712A8000-memory.dmp

Filesize
44KB

Download
memory/3060-22-0x000000007129D000-0x00000000712A8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads