5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

Analysis

max time kernel
82s
max time network
124s
platform
windows7_x64
resource
win7v20201028
submitted
17-02-2021 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69577.exe
Size

501KB
MD5

a7913461e211158d5ac34ac3bd06bc7b
SHA1

71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b
SHA256

5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13
SHA512

8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Microsoft Office Publisher MUI (English) 2010.exeMicrosoft Office Publisher MUI (English) 2010.exeMicrosoft Office Publisher MUI (English) 2010.exeMicrosoft Office Publisher MUI (English) 2010.exe

pid	process
1744	Microsoft Office Publisher MUI (English) 2010.exe
1368	Microsoft Office Publisher MUI (English) 2010.exe
344	Microsoft Office Publisher MUI (English) 2010.exe
324	Microsoft Office Publisher MUI (English) 2010.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

436 cmd.exe

pid	process
436	cmd.exe

Drops startup file 2 IoCs

Processes:

69577.exeMicrosoft Office Publisher MUI (English) 2010.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe	69577.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe

Loads dropped DLL 3 IoCs

Processes:

69577.exeMicrosoft Office Publisher MUI (English) 2010.exeEhStorAuthn.exe

pid process

1628 69577.exe
324 Microsoft Office Publisher MUI (English) 2010.exe
664 EhStorAuthn.exe

pid	process
1628	69577.exe
324	Microsoft Office Publisher MUI (English) 2010.exe
664	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EhStorAuthn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\z_Admin\\Admin.vbs"	EhStorAuthn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

69577.exeMicrosoft Office Publisher MUI (English) 2010.exeEhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	69577.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	69577.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Microsoft Office Publisher MUI (English) 2010.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Microsoft Office Publisher MUI (English) 2010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	EhStorAuthn.exe

Drops file in System32 directory 1 IoCs

Processes:

EhStorAuthn.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\EhStorAuthn.exe EhStorAuthn.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	EhStorAuthn.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

69577.exeMicrosoft Office Publisher MUI (English) 2010.exe

description	pid	process	target process
PID 1784 set thread context of 1628	1784	69577.exe	69577.exe
PID 1744 set thread context of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EhStorAuthn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EhStorAuthn.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

920 PING.EXE

pid	process
920	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Microsoft Office Publisher MUI (English) 2010.exe

pid	process
1744	Microsoft Office Publisher MUI (English) 2010.exe
1744	Microsoft Office Publisher MUI (English) 2010.exe
1744	Microsoft Office Publisher MUI (English) 2010.exe
1744	Microsoft Office Publisher MUI (English) 2010.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Microsoft Office Publisher MUI (English) 2010.exeEhStorAuthn.exe

description pid process

Token: SeDebugPrivilege 1744 Microsoft Office Publisher MUI (English) 2010.exe
Token: SeDebugPrivilege 664 EhStorAuthn.exe

description	pid	process
Token: SeDebugPrivilege	1744	Microsoft Office Publisher MUI (English) 2010.exe
Token: SeDebugPrivilege	664	EhStorAuthn.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

69577.exe69577.execmd.exeMicrosoft Office Publisher MUI (English) 2010.exeMicrosoft Office Publisher MUI (English) 2010.exe

description	pid	process	target process
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1784 wrote to memory of 1628	1784	69577.exe	69577.exe
PID 1628 wrote to memory of 1744	1628	69577.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1628 wrote to memory of 1744	1628	69577.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1628 wrote to memory of 1744	1628	69577.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1628 wrote to memory of 1744	1628	69577.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1628 wrote to memory of 436	1628	69577.exe	cmd.exe
PID 1628 wrote to memory of 436	1628	69577.exe	cmd.exe
PID 1628 wrote to memory of 436	1628	69577.exe	cmd.exe
PID 1628 wrote to memory of 436	1628	69577.exe	cmd.exe
PID 436 wrote to memory of 920	436	cmd.exe	PING.EXE
PID 436 wrote to memory of 920	436	cmd.exe	PING.EXE
PID 436 wrote to memory of 920	436	cmd.exe	PING.EXE
PID 436 wrote to memory of 920	436	cmd.exe	PING.EXE
PID 436 wrote to memory of 1704	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1704	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1704	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 1704	436	cmd.exe	cmd.exe
PID 1744 wrote to memory of 1368	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 1368	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 1368	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 1368	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 344	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 344	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 344	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 344	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 1744 wrote to memory of 324	1744	Microsoft Office Publisher MUI (English) 2010.exe	Microsoft Office Publisher MUI (English) 2010.exe
PID 324 wrote to memory of 664	324	Microsoft Office Publisher MUI (English) 2010.exe	EhStorAuthn.exe
PID 324 wrote to memory of 664	324	Microsoft Office Publisher MUI (English) 2010.exe	EhStorAuthn.exe
PID 324 wrote to memory of 664	324	Microsoft Office Publisher MUI (English) 2010.exe	EhStorAuthn.exe
PID 324 wrote to memory of 664	324	Microsoft Office Publisher MUI (English) 2010.exe	EhStorAuthn.exe
PID 324 wrote to memory of 664	324	Microsoft Office Publisher MUI (English) 2010.exe	EhStorAuthn.exe

C:\Users\Admin\AppData\Local\Temp\69577.exe
"C:\Users\Admin\AppData\Local\Temp\69577.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\69577.exe
"{path}"
2⤵
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
"{path}"
4⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
"{path}"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
5⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\del.bat
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 3
4⤵
- Runs ping.exe
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
4⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat
MD5
44e58a4d0ef4e79fb01c281742b3ff23

SHA1
5e1e8891e6b891f06d408b37893cadec2304f21b

SHA256
ac90cc2ef58efee7e23e64a06cf9b816ab59bb5dff9a94002ec812a56db6c060

SHA512
5ff9430fffc821a7445c32473b57ba727161e292c44f0106204562dfb11ed4aa93902fb5d047889a49c26e3888a95201c3a5e7faa715c01370a00b983eb48fbb

Download Submit
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\z_Admin\wallpaper.mp4
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Publisher MUI (English) 2010.exe
MD5
a7913461e211158d5ac34ac3bd06bc7b

SHA1
71c3f7a9eac34b0b5ccd5ec2df01f9c95f14235b

SHA256
5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13

SHA512
8107feec4426f820d3910e35d6e3c1a1aa85a104231a0529f7fcd825f2dfec10fbf856bc2b37c585a34f5d03b514ece7f54b600add6fb668cda0c7d1a7374e04

Download Submit
memory/324-29-0x00000000004020F8-mapping.dmp

Download
memory/436-15-0x0000000000000000-mapping.dmp

Download
memory/664-36-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/920-22-0x0000000000000000-mapping.dmp

Download
memory/1628-11-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1628-9-0x00000000004020F8-mapping.dmp

Download
memory/1628-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1628-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1704-24-0x0000000000000000-mapping.dmp

Download
memory/1744-18-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1744-23-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1744-17-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-13-0x0000000000000000-mapping.dmp

Download
memory/1784-5-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1784-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-6-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/1784-3-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1784-7-0x0000000004A60000-0x0000000004AC1000-memory.dmp

Filesize
388KB

Download