a74dde8bce765d31b30cb246c6c7ff9478ac14c095f3128dbb7d922fd404de39

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20210408
submitted
16-04-2021 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

size.exe
Size

960KB
MD5

c16ef028df44a673b5b95ea99217eb2b
SHA1

8fc1d48a6e232e272189388cc80b8d79aa121a64
SHA256

a74dde8bce765d31b30cb246c6c7ff9478ac14c095f3128dbb7d922fd404de39
SHA512

68c651671847ebb3422488b6f895c820c21ec35b6a78507239a4fb2ebcd409dd9e0093b3826c9b6d3b528f294371a40fd1f8a7168f0ff7ec4421da6663958c1d

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ic.exeWINWORD.EXE

pid process

1704 ic.exe
1256 WINWORD.EXE
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 11 IoCs

Processes:

size.exeWINWORD.EXEsvchost.exe

pid process

784 size.exe
784 size.exe
784 size.exe
784 size.exe
784 size.exe
784 size.exe
784 size.exe
784 size.exe
1256 WINWORD.EXE
1740 svchost.exe
1740 svchost.exe

pid	process
1704	ic.exe
1256	WINWORD.EXE

pid	process
784	size.exe
784	size.exe
784	size.exe
784	size.exe
784	size.exe
784	size.exe
784	size.exe
784	size.exe
1256	WINWORD.EXE
1740	svchost.exe
1740	svchost.exe

Drops file in Windows directory 7 IoCs

Processes:

size.exe

description	ioc	process
File opened for modification	C:\Windows\Help\wwlib.dll	size.exe
File created	C:\Windows\Help\ic.exe	size.exe
File opened for modification	C:\Windows\Help\ic.exe	size.exe
File created	C:\Windows\Help\WINWORD.EXE	size.exe
File opened for modification	C:\Windows\Help\WINWORD.EXE	size.exe
File created	C:\Windows\Help\__tmp_rar_sfx_access_check_259285377	size.exe
File created	C:\Windows\Help\wwlib.dll	size.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

taskmgr.exe

pid	process
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

332 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	332	taskmgr.exe
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

taskmgr.exe

pid	process
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

taskmgr.exe

pid	process
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe
332	taskmgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

size.exeWINWORD.EXEnet.exe

description	pid	process	target process
PID 784 wrote to memory of 1704	784	size.exe	ic.exe
PID 784 wrote to memory of 1704	784	size.exe	ic.exe
PID 784 wrote to memory of 1704	784	size.exe	ic.exe
PID 784 wrote to memory of 1704	784	size.exe	ic.exe
PID 784 wrote to memory of 1256	784	size.exe	WINWORD.EXE
PID 784 wrote to memory of 1256	784	size.exe	WINWORD.EXE
PID 784 wrote to memory of 1256	784	size.exe	WINWORD.EXE
PID 784 wrote to memory of 1256	784	size.exe	WINWORD.EXE
PID 1256 wrote to memory of 1708	1256	WINWORD.EXE	net.exe
PID 1256 wrote to memory of 1708	1256	WINWORD.EXE	net.exe
PID 1256 wrote to memory of 1708	1256	WINWORD.EXE	net.exe
PID 1256 wrote to memory of 1708	1256	WINWORD.EXE	net.exe
PID 1708 wrote to memory of 1008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 1008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 1008	1708	net.exe	net1.exe
PID 1708 wrote to memory of 1008	1708	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\size.exe
"C:\Users\Admin\AppData\Local\Temp\size.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:784

C:\windows\help\ic.exe
"C:\windows\help\ic.exe"
2⤵
- Executes dropped EXE
PID:1704

C:\windows\help\WINWORD.EXE
"C:\windows\help\WINWORD.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\net.exe
net start "Bonjours"
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Bonjours"
4⤵
PID:1008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1740

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\edg8E5C.tmp

MD5
1f27b5e9fde910e7d676031940ffacc0

SHA1
33e8b623298c7e927f9d58a7e5748b68f5af76eb

SHA256
65e8b32bf59855cd35a21545fd96ca147caffcb1f47d0966df71c2a50c4c6306

SHA512
81dc178635a44bf87a5f780f34c381a5334b203a142ca2d180b42b7e2d2fc18ea73f796422e426ba6f6342b62e91d75ec5ecf982d0d90cf3775e4a93519e80e4

Download Submit
C:\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
C:\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
C:\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
C:\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
C:\windows\help\wwlib.dll

MD5
1f27b5e9fde910e7d676031940ffacc0

SHA1
33e8b623298c7e927f9d58a7e5748b68f5af76eb

SHA256
65e8b32bf59855cd35a21545fd96ca147caffcb1f47d0966df71c2a50c4c6306

SHA512
81dc178635a44bf87a5f780f34c381a5334b203a142ca2d180b42b7e2d2fc18ea73f796422e426ba6f6342b62e91d75ec5ecf982d0d90cf3775e4a93519e80e4

Download Submit
\??\c:\users\admin\appdata\local\temp\edg8e4b.tmp

MD5
98fd6e0e3245497316294a545dff452c

SHA1
188d08827b1b4c25c5eb85949d7b09ef55a6e59d

SHA256
22a2fa52cd0c2a65b442915cfdd172680290dca133e6b94c2465ae17793f5997

SHA512
dffc2f668686614d533173657c1da712c31816109a554326f47a674fe5bdf3c31c2a47b0a253a31807c6764e97537e37ff55415cc9e9e4ff69127bf694738331

Download Submit
\Users\Admin\AppData\Local\Temp\edg8E4B.tmp

MD5
98fd6e0e3245497316294a545dff452c

SHA1
188d08827b1b4c25c5eb85949d7b09ef55a6e59d

SHA256
22a2fa52cd0c2a65b442915cfdd172680290dca133e6b94c2465ae17793f5997

SHA512
dffc2f668686614d533173657c1da712c31816109a554326f47a674fe5bdf3c31c2a47b0a253a31807c6764e97537e37ff55415cc9e9e4ff69127bf694738331

Download Submit
\Users\Admin\AppData\Local\Temp\edg8E5C.tmp

MD5
1f27b5e9fde910e7d676031940ffacc0

SHA1
33e8b623298c7e927f9d58a7e5748b68f5af76eb

SHA256
65e8b32bf59855cd35a21545fd96ca147caffcb1f47d0966df71c2a50c4c6306

SHA512
81dc178635a44bf87a5f780f34c381a5334b203a142ca2d180b42b7e2d2fc18ea73f796422e426ba6f6342b62e91d75ec5ecf982d0d90cf3775e4a93519e80e4

Download Submit
\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
\Windows\Help\WINWORD.EXE

MD5
15e52f52ed2b8ed122fae897119687c4

SHA1
6e35ae1d5b6f192109d7a752acd939f5ca2b97a6

SHA256
8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736

SHA512
338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea

Download Submit
\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
\Windows\Help\ic.exe

MD5
0b11b2bcabbf3e130663f060b1603358

SHA1
bf56735e01c3781394cfe15a4f843375c6f0bb2f

SHA256
6237eba77c294b655dc8974a51f812f238aa89b0d1ae1515c778ea7d792b8b6a

SHA512
e3da337a925c5383b7e81d04e8cf2ec410dbb6ce9d82ae0191dac6ae5bb800c72fd9973ce7853a08790fcd6ad9baa9ea4acf7053862f454e3f53a5ff46c29ff7

Download Submit
\Windows\Help\wwlib.dll

MD5
1f27b5e9fde910e7d676031940ffacc0

SHA1
33e8b623298c7e927f9d58a7e5748b68f5af76eb

SHA256
65e8b32bf59855cd35a21545fd96ca147caffcb1f47d0966df71c2a50c4c6306

SHA512
81dc178635a44bf87a5f780f34c381a5334b203a142ca2d180b42b7e2d2fc18ea73f796422e426ba6f6342b62e91d75ec5ecf982d0d90cf3775e4a93519e80e4

Download Submit
memory/332-76-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/784-60-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1008-80-0x0000000000000000-mapping.dmp

Download
memory/1256-75-0x000000006EB60000-0x000000006EB70000-memory.dmp

Filesize
64KB

Download
memory/1256-83-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1256-84-0x0000000000170000-0x00000000001BD000-memory.dmp

Filesize
308KB

Download
memory/1256-71-0x0000000000000000-mapping.dmp

Download
memory/1704-65-0x0000000000000000-mapping.dmp

Download
memory/1708-79-0x0000000000000000-mapping.dmp

Download
memory/1740-87-0x000000006EB60000-0x000000006EB70000-memory.dmp

Filesize
64KB

Download