313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Size

477KB
MD5

0ffd87a198719090f53bf74fedc89844
SHA1

670ded197734c25593e69da9f6a9dba7a986bf93
SHA256

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297
SHA512

d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Score

8^/10

macro persistence xlm

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

icsurcfg.exe~1CD4.tmpconvuser.exe

pid process

1704 icsurcfg.exe
2012 ~1CD4.tmp
1320 convuser.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~1D50.tmp.ppt	office_xlm_macros

Loads dropped DLL 3 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exeicsurcfg.exe

pid	process
1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
1704	icsurcfg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\diskdctr = "C:\\Users\\Admin\\AppData\\Roaming\\bitsetup\\icsurcfg.exe"	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

Drops file in System32 directory 1 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

description ioc process

File created C:\Windows\SysWOW64\convuser.exe 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\convuser.exe	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

1560 POWERPNT.EXE

pid	process
1560	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsurcfg.exeExplorer.EXEconvuser.exe

pid	process
1704	icsurcfg.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE
1320	convuser.exe
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Explorer.EXEPOWERPNT.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1560 POWERPNT.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1560	POWERPNT.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exeicsurcfg.exe~1CD4.tmpPOWERPNT.EXE

description	pid	process	target process
PID 1688 wrote to memory of 1704	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	icsurcfg.exe
PID 1688 wrote to memory of 1704	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	icsurcfg.exe
PID 1688 wrote to memory of 1704	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	icsurcfg.exe
PID 1688 wrote to memory of 1704	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	icsurcfg.exe
PID 1704 wrote to memory of 2012	1704	icsurcfg.exe	~1CD4.tmp
PID 1704 wrote to memory of 2012	1704	icsurcfg.exe	~1CD4.tmp
PID 1704 wrote to memory of 2012	1704	icsurcfg.exe	~1CD4.tmp
PID 1704 wrote to memory of 2012	1704	icsurcfg.exe	~1CD4.tmp
PID 2012 wrote to memory of 1208	2012	~1CD4.tmp	Explorer.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1688 wrote to memory of 1560	1688	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 1560 wrote to memory of 948	1560	POWERPNT.EXE	splwow64.exe
PID 1560 wrote to memory of 948	1560	POWERPNT.EXE	splwow64.exe
PID 1560 wrote to memory of 948	1560	POWERPNT.EXE	splwow64.exe
PID 1560 wrote to memory of 948	1560	POWERPNT.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208

C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
"C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe
"C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\~1CD4.tmp
"C:\Users\Admin\AppData\Local\Temp\~1CD4.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\~1D50.tmp.ppt"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:948

C:\Windows\SysWOW64\convuser.exe
C:\Windows\SysWOW64\convuser.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1CD4.tmp

MD5
5dbecec85de701513fea08a2a7510d5b

SHA1
a4c671bffc583c387038b6bded534c562e533359

SHA256
d0bf47b0dbf3fedc3b7ddba78bff3b45ae2427bbe4b2a41e716d0ea5323b39a1

SHA512
032355bccad5a437a71d08554ee143f83ab811c60bed7b62297449e1ce9d9f04512ca2351f3fe2b8982a8dec923f1fe5f5754860cebe5080b63f7428ea591332

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1D50.tmp.ppt

MD5
a9ae55d32795c21226c818127d60d670

SHA1
2b5c685ba112069216ab62a0e8c049f535612403

SHA256
efdcbf149da28a90bf23517fd48df67c23c72db10e350adeda950a380cf17524

SHA512
1855bd90aa39218502c04a8bc0537590cf51f0fd8f56cc6607cbd43c26d125cb853e95f40d88f207655b7902cad341b120cf1a50bc8777d11b91a2da31fbb887

Download Submit
C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe

MD5
c5c48c212d27a85222b55dc6b1ff57e2

SHA1
61234876947035fffb17fafe0f44c05b89437534

SHA256
a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf

SHA512
d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2

Download Submit
C:\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe

MD5
c5c48c212d27a85222b55dc6b1ff57e2

SHA1
61234876947035fffb17fafe0f44c05b89437534

SHA256
a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf

SHA512
d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2

Download Submit
C:\Windows\SysWOW64\convuser.exe

MD5
0ffd87a198719090f53bf74fedc89844

SHA1
670ded197734c25593e69da9f6a9dba7a986bf93

SHA256
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

SHA512
d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Download Submit
C:\Windows\SysWOW64\convuser.exe

MD5
0ffd87a198719090f53bf74fedc89844

SHA1
670ded197734c25593e69da9f6a9dba7a986bf93

SHA256
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

SHA512
d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Download Submit
\Users\Admin\AppData\Local\Temp\~1CD4.tmp

MD5
5dbecec85de701513fea08a2a7510d5b

SHA1
a4c671bffc583c387038b6bded534c562e533359

SHA256
d0bf47b0dbf3fedc3b7ddba78bff3b45ae2427bbe4b2a41e716d0ea5323b39a1

SHA512
032355bccad5a437a71d08554ee143f83ab811c60bed7b62297449e1ce9d9f04512ca2351f3fe2b8982a8dec923f1fe5f5754860cebe5080b63f7428ea591332

Download Submit
\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe

MD5
c5c48c212d27a85222b55dc6b1ff57e2

SHA1
61234876947035fffb17fafe0f44c05b89437534

SHA256
a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf

SHA512
d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2

Download Submit
\Users\Admin\AppData\Roaming\bitsetup\icsurcfg.exe

MD5
c5c48c212d27a85222b55dc6b1ff57e2

SHA1
61234876947035fffb17fafe0f44c05b89437534

SHA256
a759a9efd93564f20861e0e78ee70a2cea264a2b3aa4b9fb2ce24c01e3fab9cf

SHA512
d992f5da885992ccc12953109f04853ab5bb5fce8fa2aa67372525759fcf862733d75f15491453630b2509b28a3c0d2626435517f7b28677058c8e8a6ae503e2

Download Submit
memory/948-81-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/948-80-0x0000000000000000-mapping.dmp

Download
memory/1208-74-0x0000000003B10000-0x0000000003B53000-memory.dmp

Filesize
268KB

Download
memory/1320-75-0x00000000001E0000-0x000000000026B000-memory.dmp

Filesize
556KB

Download
memory/1560-76-0x0000000000000000-mapping.dmp

Download
memory/1560-77-0x0000000073CB1000-0x0000000073CB5000-memory.dmp

Filesize
16KB

Download
memory/1560-78-0x0000000071361000-0x0000000071363000-memory.dmp

Filesize
8KB

Download
memory/1560-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1560-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1688-59-0x0000000000430000-0x00000000004BB000-memory.dmp

Filesize
556KB

Download
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1704-73-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/1704-63-0x0000000000000000-mapping.dmp

Download
memory/2012-68-0x0000000000000000-mapping.dmp

Download