b57d694b6d1f9e0634953e8f5c1e4faf84fb50be806a8887dd5b31bfd58a167f

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
11-02-2021 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mortgage Description.exe
Size

864KB
MD5

82ff2d4182e8d49b1553cfec4739011c
SHA1

f1605f87331b2c980db3757adcfafb065e318f67
SHA256

b57d694b6d1f9e0634953e8f5c1e4faf84fb50be806a8887dd5b31bfd58a167f
SHA512

85e5e7fab18b096d334d3bf7625e071690f89cd4dffb6c46d30d15f1ec190bfc11c08b8f261d7f59db93fd90e56b4fb84e9efbf99cb779fb6844d4a80772a188

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Spread Sheet Reader.exeInstallUtil.exeReader Runtime Processes.exeReader Runtime Processes.exe

pid process

1616 Spread Sheet Reader.exe
3732 InstallUtil.exe
4084 Reader Runtime Processes.exe
588 Reader Runtime Processes.exe

pid	process
1616	Spread Sheet Reader.exe
3732	InstallUtil.exe
4084	Reader Runtime Processes.exe
588	Reader Runtime Processes.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sheet Proffesional Reader = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Spread Sheet Reader.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

Spread Sheet Reader.exe

description pid process target process

PID 1616 set thread context of 3732 1616 Spread Sheet Reader.exe InstallUtil.exe

description	pid	process	target process
PID 1616 set thread context of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Mortgage Description.exeSpread Sheet Reader.exeReader Runtime Processes.exeReader Runtime Processes.exe

pid	process
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
580	Mortgage Description.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe
4084	Reader Runtime Processes.exe
588	Reader Runtime Processes.exe
588	Reader Runtime Processes.exe
588	Reader Runtime Processes.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe
1616	Spread Sheet Reader.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Mortgage Description.exeSpread Sheet Reader.exeReader Runtime Processes.exeReader Runtime Processes.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	580	Mortgage Description.exe
Token: SeDebugPrivilege	1616	Spread Sheet Reader.exe
Token: SeDebugPrivilege	4084	Reader Runtime Processes.exe
Token: SeDebugPrivilege	588	Reader Runtime Processes.exe
Token: SeDebugPrivilege	3732	InstallUtil.exe
Token: SeDebugPrivilege	3732	InstallUtil.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Mortgage Description.execmd.exeSpread Sheet Reader.exeReader Runtime Processes.exe

description	pid	process	target process
PID 580 wrote to memory of 2620	580	Mortgage Description.exe	cmd.exe
PID 580 wrote to memory of 2620	580	Mortgage Description.exe	cmd.exe
PID 580 wrote to memory of 2620	580	Mortgage Description.exe	cmd.exe
PID 2620 wrote to memory of 3468	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3468	2620	cmd.exe	reg.exe
PID 2620 wrote to memory of 3468	2620	cmd.exe	reg.exe
PID 580 wrote to memory of 1616	580	Mortgage Description.exe	Spread Sheet Reader.exe
PID 580 wrote to memory of 1616	580	Mortgage Description.exe	Spread Sheet Reader.exe
PID 580 wrote to memory of 1616	580	Mortgage Description.exe	Spread Sheet Reader.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 3732	1616	Spread Sheet Reader.exe	InstallUtil.exe
PID 1616 wrote to memory of 4084	1616	Spread Sheet Reader.exe	Reader Runtime Processes.exe
PID 1616 wrote to memory of 4084	1616	Spread Sheet Reader.exe	Reader Runtime Processes.exe
PID 1616 wrote to memory of 4084	1616	Spread Sheet Reader.exe	Reader Runtime Processes.exe
PID 4084 wrote to memory of 588	4084	Reader Runtime Processes.exe	Reader Runtime Processes.exe
PID 4084 wrote to memory of 588	4084	Reader Runtime Processes.exe	Reader Runtime Processes.exe
PID 4084 wrote to memory of 588	4084	Reader Runtime Processes.exe	Reader Runtime Processes.exe

C:\Users\Admin\AppData\Local\Temp\Mortgage Description.exe
"C:\Users\Admin\AppData\Local\Temp\Mortgage Description.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sheet Proffesional Reader" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Sheet Proffesional Reader" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
3⤵
- Adds Run key to start application
PID:3468

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
"C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
"C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.txt
MD5
987cd39304e4f0df17d63b09ef3e0c73

SHA1
1be99e10e067161924d859deb8c92fa82cd9f7ee

SHA256
4cbb8ab4837293dc77a8ec8a144ead55170947642c09b80beb272b9ca7d79212

SHA512
756dd3a420e7c8fbde0530d73addffe3adc556f9892db977bee4142eee6252b28bd631977dd477e989420463617916b19f341dd1fbd31d38c004372ecd11488e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.txt
MD5
54e52f5619cd78e1af192b8187123c00

SHA1
c4683b181f8b86a2f819f607c24ad817f18be6ec

SHA256
1efeeeda8f4edb89740a89d646979e823ba33507ed6c209af9ad70ee632056e7

SHA512
293272d72599215a830aa317b5d6ffc1d7bd2c8070db0adc1f93d72f55869dbcd879e3ef8d1aa25f60856a936c35380e9c4bcc7fb3ea92940b5ec82fde43c8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reader Runtime Processes.txt
MD5
54e52f5619cd78e1af192b8187123c00

SHA1
c4683b181f8b86a2f819f607c24ad817f18be6ec

SHA256
1efeeeda8f4edb89740a89d646979e823ba33507ed6c209af9ad70ee632056e7

SHA512
293272d72599215a830aa317b5d6ffc1d7bd2c8070db0adc1f93d72f55869dbcd879e3ef8d1aa25f60856a936c35380e9c4bcc7fb3ea92940b5ec82fde43c8cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe
MD5
82ff2d4182e8d49b1553cfec4739011c

SHA1
f1605f87331b2c980db3757adcfafb065e318f67

SHA256
b57d694b6d1f9e0634953e8f5c1e4faf84fb50be806a8887dd5b31bfd58a167f

SHA512
85e5e7fab18b096d334d3bf7625e071690f89cd4dffb6c46d30d15f1ec190bfc11c08b8f261d7f59db93fd90e56b4fb84e9efbf99cb779fb6844d4a80772a188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Spread Sheet Reader.exe
MD5
82ff2d4182e8d49b1553cfec4739011c

SHA1
f1605f87331b2c980db3757adcfafb065e318f67

SHA256
b57d694b6d1f9e0634953e8f5c1e4faf84fb50be806a8887dd5b31bfd58a167f

SHA512
85e5e7fab18b096d334d3bf7625e071690f89cd4dffb6c46d30d15f1ec190bfc11c08b8f261d7f59db93fd90e56b4fb84e9efbf99cb779fb6844d4a80772a188

Download Submit
memory/580-11-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

Filesize
4KB

Download
memory/580-8-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/580-14-0x0000000005711000-0x0000000005712000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/580-3-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/580-5-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/580-10-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/588-47-0x0000000000000000-mapping.dmp

Download
memory/588-49-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-24-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1616-30-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/1616-29-0x0000000006130000-0x000000000613B000-memory.dmp

Filesize
44KB

Download
memory/1616-28-0x0000000005011000-0x0000000005012000-memory.dmp

Filesize
4KB

Download
memory/1616-15-0x0000000000000000-mapping.dmp

Download
memory/1616-18-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-12-0x0000000000000000-mapping.dmp

Download
memory/3468-13-0x0000000000000000-mapping.dmp

Download
memory/3732-35-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/3732-50-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/3732-32-0x0000000000408D4E-mapping.dmp

Download
memory/3732-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3732-56-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/4084-43-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4084-42-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4084-39-0x0000000000000000-mapping.dmp

Download