Analysis
-
max time kernel
13s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
OfficeConsultPlugin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
OfficeConsultPlugin.exe
Resource
win10v20201028
General
-
Target
OfficeConsultPlugin.exe
-
Size
1.4MB
-
MD5
fba1fd894b9201a11e866ba58c80ae61
-
SHA1
89236d9795f1e8db7d895d0e364dd4768ebc6410
-
SHA256
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
-
SHA512
0d37b91123abb1ded40ae7604980dffa675dcacc1bf772b06e36a2e4c72488558511dd3f8df0fc47d9a6cc870eaef4a9e54a55b20a4432b5802cdeeba327470a
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
OfficeConsultPlugin.exepid process 696 OfficeConsultPlugin.exe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
OfficeConsultPlugin.exedescription ioc process File opened (read-only) \??\g: OfficeConsultPlugin.exe File opened (read-only) \??\K: OfficeConsultPlugin.exe File opened (read-only) \??\l: OfficeConsultPlugin.exe File opened (read-only) \??\u: OfficeConsultPlugin.exe File opened (read-only) \??\D: OfficeConsultPlugin.exe File opened (read-only) \??\Q: OfficeConsultPlugin.exe File opened (read-only) \??\e: OfficeConsultPlugin.exe File opened (read-only) \??\k: OfficeConsultPlugin.exe File opened (read-only) \??\n: OfficeConsultPlugin.exe File opened (read-only) \??\q: OfficeConsultPlugin.exe File opened (read-only) \??\U: OfficeConsultPlugin.exe File opened (read-only) \??\W: OfficeConsultPlugin.exe File opened (read-only) \??\y: OfficeConsultPlugin.exe File opened (read-only) \??\A: OfficeConsultPlugin.exe File opened (read-only) \??\f: OfficeConsultPlugin.exe File opened (read-only) \??\F: OfficeConsultPlugin.exe File opened (read-only) \??\r: OfficeConsultPlugin.exe File opened (read-only) \??\s: OfficeConsultPlugin.exe File opened (read-only) \??\w: OfficeConsultPlugin.exe File opened (read-only) \??\H: OfficeConsultPlugin.exe File opened (read-only) \??\j: OfficeConsultPlugin.exe File opened (read-only) \??\J: OfficeConsultPlugin.exe File opened (read-only) \??\L: OfficeConsultPlugin.exe File opened (read-only) \??\m: OfficeConsultPlugin.exe File opened (read-only) \??\N: OfficeConsultPlugin.exe File opened (read-only) \??\S: OfficeConsultPlugin.exe File opened (read-only) \??\x: OfficeConsultPlugin.exe File opened (read-only) \??\B: OfficeConsultPlugin.exe File opened (read-only) \??\I: OfficeConsultPlugin.exe File opened (read-only) \??\Z: OfficeConsultPlugin.exe File opened (read-only) \??\T: OfficeConsultPlugin.exe File opened (read-only) \??\E: OfficeConsultPlugin.exe File opened (read-only) \??\h: OfficeConsultPlugin.exe File opened (read-only) \??\i: OfficeConsultPlugin.exe File opened (read-only) \??\M: OfficeConsultPlugin.exe File opened (read-only) \??\o: OfficeConsultPlugin.exe File opened (read-only) \??\p: OfficeConsultPlugin.exe File opened (read-only) \??\t: OfficeConsultPlugin.exe File opened (read-only) \??\v: OfficeConsultPlugin.exe File opened (read-only) \??\V: OfficeConsultPlugin.exe File opened (read-only) \??\Y: OfficeConsultPlugin.exe File opened (read-only) \??\z: OfficeConsultPlugin.exe File opened (read-only) \??\a: OfficeConsultPlugin.exe File opened (read-only) \??\b: OfficeConsultPlugin.exe File opened (read-only) \??\G: OfficeConsultPlugin.exe File opened (read-only) \??\O: OfficeConsultPlugin.exe File opened (read-only) \??\P: OfficeConsultPlugin.exe File opened (read-only) \??\R: OfficeConsultPlugin.exe File opened (read-only) \??\X: OfficeConsultPlugin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OfficeConsultPlugin.exedescription pid process target process PID 696 set thread context of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
OfficeConsultPlugin.exepid process 696 OfficeConsultPlugin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
OfficeConsultPlugin.exedescription pid process target process PID 696 wrote to memory of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe PID 696 wrote to memory of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe PID 696 wrote to memory of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe PID 696 wrote to memory of 204 696 OfficeConsultPlugin.exe OfficeConsultPlugin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"C:\Users\Admin\AppData\Local\Temp\OfficeConsultPlugin.exe"2⤵
- Enumerates connected drives
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv6E70.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/204-115-0x0000000000488AD2-mapping.dmp
-
memory/204-116-0x0000000000400000-0x0000000000534000-memory.dmpFilesize
1.2MB