3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb

Analysis

max time kernel
150s
max time network
8s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe
Size

352KB
MD5

c473fd7072c93f65f882f60fc3c5f4d6
SHA1

1c8863d05817095c3202fcba668c53fe53a4580a
SHA256

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb
SHA512

0948bf4a766c6c011a8390ebceb599cb4a0d14a2330c96b05c6c6158544bccbba216870bdab7ada86be38b6d91e5c14caf1f68db5ffe0330da3764b0778447d4

Score

8^/10

macro persistence xlm

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

ocsepubw.exe~1BDA.tmpdfrgpSNK.exe

pid process

1532 ocsepubw.exe
1420 ~1BDA.tmp
1712 dfrgpSNK.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~1C76.tmp.doc	office_xlm_macros

Loads dropped DLL 3 IoCs

Processes:

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exeocsepubw.exe

pid	process
1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe
1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe
1532	ocsepubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\expaHost = "C:\\Users\\Admin\\AppData\\Roaming\\RmClkeng\\ocsepubw.exe"	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe

Drops file in System32 directory 1 IoCs

Processes:

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe

description ioc process

File created C:\Windows\SysWOW64\dfrgpSNK.exe 3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File created	C:\Windows\SysWOW64\dfrgpSNK.exe	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

560 WINWORD.EXE

pid	process
560	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ocsepubw.exeExplorer.EXEdfrgpSNK.exe

pid	process
1532	ocsepubw.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE
1712	dfrgpSNK.exe
1380	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE

pid	process
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

560 WINWORD.EXE
560 WINWORD.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
560	WINWORD.EXE
560	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exeocsepubw.exe~1BDA.tmpWINWORD.EXE

description	pid	process	target process
PID 1100 wrote to memory of 1532	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	ocsepubw.exe
PID 1100 wrote to memory of 1532	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	ocsepubw.exe
PID 1100 wrote to memory of 1532	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	ocsepubw.exe
PID 1100 wrote to memory of 1532	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	ocsepubw.exe
PID 1532 wrote to memory of 1420	1532	ocsepubw.exe	~1BDA.tmp
PID 1532 wrote to memory of 1420	1532	ocsepubw.exe	~1BDA.tmp
PID 1532 wrote to memory of 1420	1532	ocsepubw.exe	~1BDA.tmp
PID 1532 wrote to memory of 1420	1532	ocsepubw.exe	~1BDA.tmp
PID 1420 wrote to memory of 1380	1420	~1BDA.tmp	Explorer.EXE
PID 1100 wrote to memory of 560	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	WINWORD.EXE
PID 1100 wrote to memory of 560	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	WINWORD.EXE
PID 1100 wrote to memory of 560	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	WINWORD.EXE
PID 1100 wrote to memory of 560	1100	3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe	WINWORD.EXE
PID 560 wrote to memory of 632	560	WINWORD.EXE	splwow64.exe
PID 560 wrote to memory of 632	560	WINWORD.EXE	splwow64.exe
PID 560 wrote to memory of 632	560	WINWORD.EXE	splwow64.exe
PID 560 wrote to memory of 632	560	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

C:\Users\Admin\AppData\Local\Temp\3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe
"C:\Users\Admin\AppData\Local\Temp\3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe
"C:\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\~1BDA.tmp
"C:\Users\Admin\AppData\Local\Temp\~1BDA.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~1C76.tmp.doc"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:632

C:\Windows\SysWOW64\dfrgpSNK.exe
C:\Windows\SysWOW64\dfrgpSNK.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~1BDA.tmp

MD5
00aea43b3420988c977c14d83a8b9668

SHA1
054d791356238f51a0a4cefb860739a34868db44

SHA256
93598d227bff890dbbcaf3a28958c7d608557ce4b64d90a963a1f5c8dd86418c

SHA512
93ab14b47b960223dd8c7a91a697cafbf5ced8d3b74c04b8ef9ad60092cc6235fde1f195da8f46b4a276b88b4731842efd66e30d071353557a53ead6f383bd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1C76.tmp.doc

MD5
af2ab063c2b3d1328645622493548540

SHA1
9c6d4d79104742d74ffef7a55908b23c5925548a

SHA256
10ec2d4029346d377bace692cf165c8020abc3a3af1c73a655eaba65e3f6bdde

SHA512
04c8d2f67aad0f64df88b27732bd874f5765845b36a77b369f9c6928c959f88c1dfab2cb37ccc0fc08dbccd080ffe1fced37077e4724dc0a102c12a61a41fe75

Download Submit
C:\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe

MD5
8a278486fcdd911fc3399362fcf7b2f3

SHA1
7e375e23e592725f8f57a995a5b50d41eb0039cb

SHA256
7abf62bf11c0039dae1b54522880492a97f935574f74537c8054261632395c58

SHA512
b86e0e1faba25d1844b4f96b66b1e3087e72980456d970f581af67077e5f61c96b49355657302417a34e79ee667253e46612f040ada9c8ef7fb1f5931ca56020

Download Submit
C:\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe

MD5
8a278486fcdd911fc3399362fcf7b2f3

SHA1
7e375e23e592725f8f57a995a5b50d41eb0039cb

SHA256
7abf62bf11c0039dae1b54522880492a97f935574f74537c8054261632395c58

SHA512
b86e0e1faba25d1844b4f96b66b1e3087e72980456d970f581af67077e5f61c96b49355657302417a34e79ee667253e46612f040ada9c8ef7fb1f5931ca56020

Download Submit
C:\Windows\SysWOW64\dfrgpSNK.exe

MD5
c473fd7072c93f65f882f60fc3c5f4d6

SHA1
1c8863d05817095c3202fcba668c53fe53a4580a

SHA256
3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb

SHA512
0948bf4a766c6c011a8390ebceb599cb4a0d14a2330c96b05c6c6158544bccbba216870bdab7ada86be38b6d91e5c14caf1f68db5ffe0330da3764b0778447d4

Download Submit
C:\Windows\SysWOW64\dfrgpSNK.exe

MD5
c473fd7072c93f65f882f60fc3c5f4d6

SHA1
1c8863d05817095c3202fcba668c53fe53a4580a

SHA256
3ed3d68215aabfeeb5e513af8659b6d6c6dcbc59a0142c83e386ec32098b1beb

SHA512
0948bf4a766c6c011a8390ebceb599cb4a0d14a2330c96b05c6c6158544bccbba216870bdab7ada86be38b6d91e5c14caf1f68db5ffe0330da3764b0778447d4

Download Submit
\Users\Admin\AppData\Local\Temp\~1BDA.tmp

MD5
00aea43b3420988c977c14d83a8b9668

SHA1
054d791356238f51a0a4cefb860739a34868db44

SHA256
93598d227bff890dbbcaf3a28958c7d608557ce4b64d90a963a1f5c8dd86418c

SHA512
93ab14b47b960223dd8c7a91a697cafbf5ced8d3b74c04b8ef9ad60092cc6235fde1f195da8f46b4a276b88b4731842efd66e30d071353557a53ead6f383bd68

Download Submit
\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe

MD5
8a278486fcdd911fc3399362fcf7b2f3

SHA1
7e375e23e592725f8f57a995a5b50d41eb0039cb

SHA256
7abf62bf11c0039dae1b54522880492a97f935574f74537c8054261632395c58

SHA512
b86e0e1faba25d1844b4f96b66b1e3087e72980456d970f581af67077e5f61c96b49355657302417a34e79ee667253e46612f040ada9c8ef7fb1f5931ca56020

Download Submit
\Users\Admin\AppData\Roaming\RmClkeng\ocsepubw.exe

MD5
8a278486fcdd911fc3399362fcf7b2f3

SHA1
7e375e23e592725f8f57a995a5b50d41eb0039cb

SHA256
7abf62bf11c0039dae1b54522880492a97f935574f74537c8054261632395c58

SHA512
b86e0e1faba25d1844b4f96b66b1e3087e72980456d970f581af67077e5f61c96b49355657302417a34e79ee667253e46612f040ada9c8ef7fb1f5931ca56020

Download Submit
memory/560-78-0x00000000728A1000-0x00000000728A4000-memory.dmp

Filesize
12KB

Download
memory/560-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/560-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/560-79-0x0000000070321000-0x0000000070323000-memory.dmp

Filesize
8KB

Download
memory/560-77-0x0000000000000000-mapping.dmp

Download
memory/632-83-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/632-82-0x0000000000000000-mapping.dmp

Download
memory/1100-61-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1100-60-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1380-75-0x0000000004AD0000-0x0000000004B13000-memory.dmp

Filesize
268KB

Download
memory/1420-69-0x0000000000000000-mapping.dmp

Download
memory/1532-74-0x00000000000B0000-0x00000000000F0000-memory.dmp

Filesize
256KB

Download
memory/1532-64-0x0000000000000000-mapping.dmp

Download
memory/1712-76-0x00000000004D0000-0x000000000053C000-memory.dmp

Filesize
432KB

Download