Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 03:47
Static task
static1
Behavioral task
behavioral1
Sample
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Resource
win10v20210410
General
-
Target
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
-
Size
477KB
-
MD5
0ffd87a198719090f53bf74fedc89844
-
SHA1
670ded197734c25593e69da9f6a9dba7a986bf93
-
SHA256
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297
-
SHA512
d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
icsurcfg.exe~1CD4.tmpconvuser.exepid process 1704 icsurcfg.exe 2012 ~1CD4.tmp 1320 convuser.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~1D50.tmp.ppt office_xlm_macros -
Loads dropped DLL 3 IoCs
Processes:
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exeicsurcfg.exepid process 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe 1704 icsurcfg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\diskdctr = "C:\\Users\\Admin\\AppData\\Roaming\\bitsetup\\icsurcfg.exe" 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe -
Drops file in System32 directory 1 IoCs
Processes:
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exedescription ioc process File created C:\Windows\SysWOW64\convuser.exe 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
POWERPNT.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" POWERPNT.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel POWERPNT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" POWERPNT.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 1560 POWERPNT.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsurcfg.exeExplorer.EXEconvuser.exepid process 1704 icsurcfg.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE 1320 convuser.exe 1208 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Explorer.EXEPOWERPNT.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1560 POWERPNT.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exeicsurcfg.exe~1CD4.tmpPOWERPNT.EXEdescription pid process target process PID 1688 wrote to memory of 1704 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe icsurcfg.exe PID 1688 wrote to memory of 1704 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe icsurcfg.exe PID 1688 wrote to memory of 1704 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe icsurcfg.exe PID 1688 wrote to memory of 1704 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe icsurcfg.exe PID 1704 wrote to memory of 2012 1704 icsurcfg.exe ~1CD4.tmp PID 1704 wrote to memory of 2012 1704 icsurcfg.exe ~1CD4.tmp PID 1704 wrote to memory of 2012 1704 icsurcfg.exe ~1CD4.tmp PID 1704 wrote to memory of 2012 1704 icsurcfg.exe ~1CD4.tmp PID 2012 wrote to memory of 1208 2012 ~1CD4.tmp Explorer.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1688 wrote to memory of 1560 1688 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe POWERPNT.EXE PID 1560 wrote to memory of 948 1560 POWERPNT.EXE splwow64.exe PID 1560 wrote to memory of 948 1560 POWERPNT.EXE splwow64.exe PID 1560 wrote to memory of 948 1560 POWERPNT.EXE splwow64.exe PID 1560 wrote to memory of 948 1560 POWERPNT.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe"C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe"C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\~1CD4.tmp"C:\Users\Admin\AppData\Local\Temp\~1CD4.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\~1D50.tmp.ppt"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:948
-
C:\Windows\SysWOW64\convuser.exeC:\Windows\SysWOW64\convuser.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5dbecec85de701513fea08a2a7510d5b
SHA1a4c671bffc583c387038b6bded534c562e533359
SHA256d0bf47b0dbf3fedc3b7ddba78bff3b45ae2427bbe4b2a41e716d0ea5323b39a1
SHA512032355bccad5a437a71d08554ee143f83ab811c60bed7b62297449e1ce9d9f04512ca2351f3fe2b8982a8dec923f1fe5f5754860cebe5080b63f7428ea591332
-
MD5
a9ae55d32795c21226c818127d60d670
SHA12b5c685ba112069216ab62a0e8c049f535612403
SHA256efdcbf149da28a90bf23517fd48df67c23c72db10e350adeda950a380cf17524
SHA5121855bd90aa39218502c04a8bc0537590cf51f0fd8f56cc6607cbd43c26d125cb853e95f40d88f207655b7902cad341b120cf1a50bc8777d11b91a2da31fbb887
-
MD5
c5c48c212d27a85222b55dc6b1ff57e2
SHA161234876947035fffb17fafe0f44c05b89437534
SHA256a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf
SHA512d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2
-
MD5
c5c48c212d27a85222b55dc6b1ff57e2
SHA161234876947035fffb17fafe0f44c05b89437534
SHA256a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf
SHA512d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2
-
MD5
0ffd87a198719090f53bf74fedc89844
SHA1670ded197734c25593e69da9f6a9dba7a986bf93
SHA256313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297
SHA512d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c
-
MD5
0ffd87a198719090f53bf74fedc89844
SHA1670ded197734c25593e69da9f6a9dba7a986bf93
SHA256313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297
SHA512d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c
-
MD5
5dbecec85de701513fea08a2a7510d5b
SHA1a4c671bffc583c387038b6bded534c562e533359
SHA256d0bf47b0dbf3fedc3b7ddba78bff3b45ae2427bbe4b2a41e716d0ea5323b39a1
SHA512032355bccad5a437a71d08554ee143f83ab811c60bed7b62297449e1ce9d9f04512ca2351f3fe2b8982a8dec923f1fe5f5754860cebe5080b63f7428ea591332
-
MD5
c5c48c212d27a85222b55dc6b1ff57e2
SHA161234876947035fffb17fafe0f44c05b89437534
SHA256a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf
SHA512d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2
-
MD5
c5c48c212d27a85222b55dc6b1ff57e2
SHA161234876947035fffb17fafe0f44c05b89437534
SHA256a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf
SHA512d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2