904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

General

Target

OfficeConsultPlugin.exe
Size

1.4MB
MD5

fba1fd894b9201a11e866ba58c80ae61
SHA1

89236d9795f1e8db7d895d0e364dd4768ebc6410
SHA256

904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SHA512

0d37b91123abb1ded40ae7604980dffa675dcacc1bf772b06e36a2e4c72488558511dd3f8df0fc47d9a6cc870eaef4a9e54a55b20a4432b5802cdeeba327470a

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

OfficeConsultPlugin.exe

pid process

696 OfficeConsultPlugin.exe

pid	process
696	OfficeConsultPlugin.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OfficeConsultPlugin.exe

description	ioc	process
File opened (read-only)	\??\g:	OfficeConsultPlugin.exe
File opened (read-only)	\??\K:	OfficeConsultPlugin.exe
File opened (read-only)	\??\l:	OfficeConsultPlugin.exe
File opened (read-only)	\??\u:	OfficeConsultPlugin.exe
File opened (read-only)	\??\D:	OfficeConsultPlugin.exe
File opened (read-only)	\??\Q:	OfficeConsultPlugin.exe
File opened (read-only)	\??\e:	OfficeConsultPlugin.exe
File opened (read-only)	\??\k:	OfficeConsultPlugin.exe
File opened (read-only)	\??\n:	OfficeConsultPlugin.exe
File opened (read-only)	\??\q:	OfficeConsultPlugin.exe
File opened (read-only)	\??\U:	OfficeConsultPlugin.exe
File opened (read-only)	\??\W:	OfficeConsultPlugin.exe
File opened (read-only)	\??\y:	OfficeConsultPlugin.exe
File opened (read-only)	\??\A:	OfficeConsultPlugin.exe
File opened (read-only)	\??\f:	OfficeConsultPlugin.exe
File opened (read-only)	\??\F:	OfficeConsultPlugin.exe
File opened (read-only)	\??\r:	OfficeConsultPlugin.exe
File opened (read-only)	\??\s:	OfficeConsultPlugin.exe
File opened (read-only)	\??\w:	OfficeConsultPlugin.exe
File opened (read-only)	\??\H:	OfficeConsultPlugin.exe
File opened (read-only)	\??\j:	OfficeConsultPlugin.exe
File opened (read-only)	\??\J:	OfficeConsultPlugin.exe
File opened (read-only)	\??\L:	OfficeConsultPlugin.exe
File opened (read-only)	\??\m:	OfficeConsultPlugin.exe
File opened (read-only)	\??\N:	OfficeConsultPlugin.exe
File opened (read-only)	\??\S:	OfficeConsultPlugin.exe
File opened (read-only)	\??\x:	OfficeConsultPlugin.exe
File opened (read-only)	\??\B:	OfficeConsultPlugin.exe
File opened (read-only)	\??\I:	OfficeConsultPlugin.exe
File opened (read-only)	\??\Z:	OfficeConsultPlugin.exe
File opened (read-only)	\??\T:	OfficeConsultPlugin.exe
File opened (read-only)	\??\E:	OfficeConsultPlugin.exe
File opened (read-only)	\??\h:	OfficeConsultPlugin.exe
File opened (read-only)	\??\i:	OfficeConsultPlugin.exe
File opened (read-only)	\??\M:	OfficeConsultPlugin.exe
File opened (read-only)	\??\o:	OfficeConsultPlugin.exe
File opened (read-only)	\??\p:	OfficeConsultPlugin.exe
File opened (read-only)	\??\t:	OfficeConsultPlugin.exe
File opened (read-only)	\??\v:	OfficeConsultPlugin.exe
File opened (read-only)	\??\V:	OfficeConsultPlugin.exe
File opened (read-only)	\??\Y:	OfficeConsultPlugin.exe
File opened (read-only)	\??\z:	OfficeConsultPlugin.exe
File opened (read-only)	\??\a:	OfficeConsultPlugin.exe
File opened (read-only)	\??\b:	OfficeConsultPlugin.exe
File opened (read-only)	\??\G:	OfficeConsultPlugin.exe
File opened (read-only)	\??\O:	OfficeConsultPlugin.exe
File opened (read-only)	\??\P:	OfficeConsultPlugin.exe
File opened (read-only)	\??\R:	OfficeConsultPlugin.exe
File opened (read-only)	\??\X:	OfficeConsultPlugin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

OfficeConsultPlugin.exe

description pid process target process

PID 696 set thread context of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

OfficeConsultPlugin.exe

pid process

696 OfficeConsultPlugin.exe

description	pid	process	target process
PID 696 set thread context of 204	696	OfficeConsultPlugin.exe	OfficeConsultPlugin.exe

pid	process
696	OfficeConsultPlugin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

OfficeConsultPlugin.exe

description	pid	process	target process
PID 696 wrote to memory of 204	696	OfficeConsultPlugin.exe	OfficeConsultPlugin.exe
PID 696 wrote to memory of 204	696	OfficeConsultPlugin.exe	OfficeConsultPlugin.exe
PID 696 wrote to memory of 204	696	OfficeConsultPlugin.exe	OfficeConsultPlugin.exe
PID 696 wrote to memory of 204	696	OfficeConsultPlugin.exe	OfficeConsultPlugin.exe

C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"
2⤵
- Enumerates connected drives
PID:204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsv6E70.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/204-115-0x0000000000488AD2-mapping.dmp

Download
memory/204-116-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing