5cd7eab6d1ff136e0f69ae76a45fa3f5e6f77e4c4185dc34205a5f2a6c054663

General

Target

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmpDocx2Rtf.exe

pid process

1484 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
1712 Docx2Rtf.exe

pid	process
1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
1712	Docx2Rtf.exe

Loads dropped DLL 2 IoCs

Processes:

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

pid	process
1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe
1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Docx2Rtf.exe

pid process

1712 Docx2Rtf.exe

pid	process
1712	Docx2Rtf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

description	pid	process	target process
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1588 wrote to memory of 1484	1588	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	Docx2Rtf.exe
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	Docx2Rtf.exe
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	Docx2Rtf.exe
PID 1484 wrote to memory of 1712	1484	3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp	Docx2Rtf.exe

C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe
"C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp" /SL5="$3011A,118835448,809472,C:\Users\Admin\AppData\Local\Temp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe

MD5
ba95ebd0d6f6e7861b75149561f1fbd3

SHA1
639a1e699d3aea6a0a204e4023f87ef05b4df5fb

SHA256
caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4

SHA512
7c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

MD5
26fcf4debd7de2d67fc0289257d02300

SHA1
e31cf43e9a8346e320e19618f9d8c9de2b641c20

SHA256
aab26ce34cd22bdfab7aa5270218f5af2e34276bfc155a7f51c26dc53c14d3f2

SHA512
bf24ffd2fef7f72b853f44b477ee70c8c721a7411e928ab7719dc0f208e687bed8f47883033e658a0a04735a42640398ee5e7e486b38e46254f16fb2154cb67a

Download Submit
\Users\Admin\AppData\Local\Temp\is-3N9TC.tmp\Docx2Rtf.exe

MD5
ba95ebd0d6f6e7861b75149561f1fbd3

SHA1
639a1e699d3aea6a0a204e4023f87ef05b4df5fb

SHA256
caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4

SHA512
7c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51

Download Submit
\Users\Admin\AppData\Local\Temp\is-FM4BA.tmp\3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01.bin.tmp

MD5
26fcf4debd7de2d67fc0289257d02300

SHA1
e31cf43e9a8346e320e19618f9d8c9de2b641c20

SHA256
aab26ce34cd22bdfab7aa5270218f5af2e34276bfc155a7f51c26dc53c14d3f2

SHA512
bf24ffd2fef7f72b853f44b477ee70c8c721a7411e928ab7719dc0f208e687bed8f47883033e658a0a04735a42640398ee5e7e486b38e46254f16fb2154cb67a

Download Submit
memory/1484-1-0x0000000000000000-mapping.dmp

Download
memory/1712-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing