Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 02:27
Static task
static1
Behavioral task
behavioral1
Sample
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
Resource
win7v20210410
General
-
Target
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe
-
Size
409KB
-
MD5
ba3916c609c877870cfe6c582d7aa82e
-
SHA1
4f6583881ea79793e59d1ab58dfcb95d4eb09cca
-
SHA256
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058
-
SHA512
709a27fc0dfadb446126d42049c46ac96c0b993f31a0a7c7a7e4745e55111ce904f4bbb296774c9f59fb2ad5e6451572813ab5eb6f0966e65db9067b4eac63ee
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1748.tmppid process 1220 1748.tmp -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc office_xlm_macros -
Loads dropped DLL 1 IoCs
Processes:
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exepid process 1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 280 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
1748.tmppid process 1220 1748.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 280 WINWORD.EXE 280 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe1748.tmpWINWORD.EXEdescription pid process target process PID 1864 wrote to memory of 1220 1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 1748.tmp PID 1864 wrote to memory of 1220 1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 1748.tmp PID 1864 wrote to memory of 1220 1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 1748.tmp PID 1864 wrote to memory of 1220 1864 f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 1748.tmp PID 1220 wrote to memory of 280 1220 1748.tmp WINWORD.EXE PID 1220 wrote to memory of 280 1220 1748.tmp WINWORD.EXE PID 1220 wrote to memory of 280 1220 1748.tmp WINWORD.EXE PID 1220 wrote to memory of 280 1220 1748.tmp WINWORD.EXE PID 280 wrote to memory of 676 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 676 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 676 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 676 280 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\1748.tmp"C:\Users\Admin\AppData\Local\Temp\1748.tmp" --pingC:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.exe 32875D8CF24E88E8164CD0FB5F4178E39364B4A21577F553E97E03EBA209FF28F0349B758F902E092BEE7C59412AAD07524E9FBEF223E760A040124B76C5F6502⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.doc"3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1748.tmpMD5
0b9478e481e6504375951b839519f1ef
SHA16ae661ff46cb1ae78efea25b4591283bc7d0e9bf
SHA256ff02bc5a540e024b2be60c8abbe507c8c928d324a3e2fad7d7a3b3950e181796
SHA5125fdb7d7bab1698fb99a124bee6ca23fbdac556b265e0b9189dcc4a4e02a0c781636131756bf77608bcb82376194ed84a2686ae38e4f9422c0da9cad3457c6d3e
-
C:\Users\Admin\AppData\Local\Temp\f1c4b6d2f0f1e296ba6cf89aa2ed889ff7c90118ddb2fb97bc4bb911b9e9e058.docMD5
12e57ae08f64353b3c3b3d08681aaaf1
SHA136b6aca282497c65d41513b231d247b0187651f1
SHA25607498e905c47bfea983587265b88eb01bc6098978c375c71074b9469a99b4308
SHA512aba2748b1b5d26f52a93bbfabbd4760435b06d6c449631930e7db339c5317429f59cc24709515707cdda34956c73d30e60b83b81986873eb544b1040388748a8
-
\Users\Admin\AppData\Local\Temp\1748.tmpMD5
0b9478e481e6504375951b839519f1ef
SHA16ae661ff46cb1ae78efea25b4591283bc7d0e9bf
SHA256ff02bc5a540e024b2be60c8abbe507c8c928d324a3e2fad7d7a3b3950e181796
SHA5125fdb7d7bab1698fb99a124bee6ca23fbdac556b265e0b9189dcc4a4e02a0c781636131756bf77608bcb82376194ed84a2686ae38e4f9422c0da9cad3457c6d3e
-
memory/280-63-0x0000000000000000-mapping.dmp
-
memory/280-64-0x0000000072F71000-0x0000000072F74000-memory.dmpFilesize
12KB
-
memory/280-65-0x00000000709F1000-0x00000000709F3000-memory.dmpFilesize
8KB
-
memory/280-66-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/280-70-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/676-68-0x0000000000000000-mapping.dmp
-
memory/676-69-0x000007FEFC471000-0x000007FEFC473000-memory.dmpFilesize
8KB
-
memory/1220-60-0x0000000000000000-mapping.dmp
-
memory/1220-62-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB