f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

Analysis

max time kernel
150s
max time network
104s
platform
windows7_x64
resource
win7v20210410
submitted
13-05-2021 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
Size

354KB
MD5

83442bfd37caf80bddd456fcdc21348c
SHA1

d9545548080bbd21772fb1498fc14f6ef05f2394
SHA256

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd
SHA512

16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Score

8^/10

macro persistence xlm

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

cmstHost.exe~3708.tmpbthudt32.exe

pid process

1716 cmstHost.exe
1364 ~3708.tmp
1328 bthudt32.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~3775.tmp.doc	office_xlm_macros

Loads dropped DLL 3 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.execmstHost.exe

pid	process
1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
1716	cmstHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmlwiz = "C:\\Users\\Admin\\AppData\\Roaming\\PINGetup\\cmstHost.exe"	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

Drops file in System32 directory 1 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

description ioc process

File created C:\Windows\SysWOW64\bthudt32.exe f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File created	C:\Windows\SysWOW64\bthudt32.exe	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

284 WINWORD.EXE

pid	process
284	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cmstHost.exeExplorer.EXEbthudt32.exe

pid	process
1716	cmstHost.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE
1328	bthudt32.exe
1248	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE

pid	process
1248	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

284 WINWORD.EXE
284 WINWORD.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
284	WINWORD.EXE
284	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.execmstHost.exe~3708.tmpWINWORD.EXE

description	pid	process	target process
PID 1096 wrote to memory of 1716	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	cmstHost.exe
PID 1096 wrote to memory of 1716	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	cmstHost.exe
PID 1096 wrote to memory of 1716	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	cmstHost.exe
PID 1096 wrote to memory of 1716	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	cmstHost.exe
PID 1716 wrote to memory of 1364	1716	cmstHost.exe	~3708.tmp
PID 1716 wrote to memory of 1364	1716	cmstHost.exe	~3708.tmp
PID 1716 wrote to memory of 1364	1716	cmstHost.exe	~3708.tmp
PID 1716 wrote to memory of 1364	1716	cmstHost.exe	~3708.tmp
PID 1364 wrote to memory of 1248	1364	~3708.tmp	Explorer.EXE
PID 1096 wrote to memory of 284	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE
PID 1096 wrote to memory of 284	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE
PID 1096 wrote to memory of 284	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE
PID 1096 wrote to memory of 284	1096	f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe	WINWORD.EXE
PID 284 wrote to memory of 876	284	WINWORD.EXE	splwow64.exe
PID 284 wrote to memory of 876	284	WINWORD.EXE	splwow64.exe
PID 284 wrote to memory of 876	284	WINWORD.EXE	splwow64.exe
PID 284 wrote to memory of 876	284	WINWORD.EXE	splwow64.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248

C:\Users\Admin\AppData\Local\Temp\f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe
"C:\Users\Admin\AppData\Local\Temp\f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe
"C:\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\~3708.tmp
"C:\Users\Admin\AppData\Local\Temp\~3708.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~3775.tmp.doc"
3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:876

C:\Windows\SysWOW64\bthudt32.exe
C:\Windows\SysWOW64\bthudt32.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~3708.tmp

MD5
1c28b1f9488349738e4105f717cf8c13

SHA1
353ad68bac8b0003691fa6766733d80833a27f9d

SHA256
1f0494bbd5b204bb6df5ce8a02ed836164b0c7fb0ce007eaf05d6f1dff5094e7

SHA512
1fcd827d98b64501c6e89ba94afe4fc270488837ff877d71e28eb3375bd1ed3042e44130774b058cc6373988602b969f2ae8552cd222655ce28d79220d8784b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3775.tmp.doc

MD5
d790423a93aa5c0ad659924d004d5dda

SHA1
8278cf6e8a997ff14a1a3958825c168941ea6422

SHA256
4d3f3c44b21f1b42312bf7c1dcf5fc90c71b0b399aec011451123b5c99b5fab1

SHA512
9a564c87f6c430e8f2180021920372593ce25eb7cf894fbce3e48ddcc2b49244eab2e30d871174b80d83fe0f8d949a49745c92db7d6362f0d2138dbe7ec503aa

Download Submit
C:\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe

MD5
1e7955822908193ef71b1cba83d24af1

SHA1
4e5feccd8ea4d2ebae3725d9baf0befd96138320

SHA256
f77651213bc9949da9be3a871e87820a6d24fe4837d533c79993ae9c1faf7c0a

SHA512
114f5bc637bc9c356e869227fa10b89616b28631e67606b370c6a7d7e09643ae008d871fe92afc7fce7583af7fc221ff604ae0b756776e860e89aef38fd36196

Download Submit
C:\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe

MD5
1e7955822908193ef71b1cba83d24af1

SHA1
4e5feccd8ea4d2ebae3725d9baf0befd96138320

SHA256
f77651213bc9949da9be3a871e87820a6d24fe4837d533c79993ae9c1faf7c0a

SHA512
114f5bc637bc9c356e869227fa10b89616b28631e67606b370c6a7d7e09643ae008d871fe92afc7fce7583af7fc221ff604ae0b756776e860e89aef38fd36196

Download Submit
C:\Windows\SysWOW64\bthudt32.exe

MD5
83442bfd37caf80bddd456fcdc21348c

SHA1
d9545548080bbd21772fb1498fc14f6ef05f2394

SHA256
f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

SHA512
16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Download Submit
C:\Windows\SysWOW64\bthudt32.exe

MD5
83442bfd37caf80bddd456fcdc21348c

SHA1
d9545548080bbd21772fb1498fc14f6ef05f2394

SHA256
f40b137db9bc978f5e32bdd45ac0cd6f52f61ea5c49ef3660a786352df1a3ecd

SHA512
16a136a80599751e3aa6c96aa58bec9b84fdddd21b3e98aeb9ac0f35678c496f990683d89ec350306d9ef9cd8d8e3164100dbdafaf699fe814698e6b864c5b81

Download Submit
\Users\Admin\AppData\Local\Temp\~3708.tmp

MD5
1c28b1f9488349738e4105f717cf8c13

SHA1
353ad68bac8b0003691fa6766733d80833a27f9d

SHA256
1f0494bbd5b204bb6df5ce8a02ed836164b0c7fb0ce007eaf05d6f1dff5094e7

SHA512
1fcd827d98b64501c6e89ba94afe4fc270488837ff877d71e28eb3375bd1ed3042e44130774b058cc6373988602b969f2ae8552cd222655ce28d79220d8784b7

Download Submit
\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe

MD5
1e7955822908193ef71b1cba83d24af1

SHA1
4e5feccd8ea4d2ebae3725d9baf0befd96138320

SHA256
f77651213bc9949da9be3a871e87820a6d24fe4837d533c79993ae9c1faf7c0a

SHA512
114f5bc637bc9c356e869227fa10b89616b28631e67606b370c6a7d7e09643ae008d871fe92afc7fce7583af7fc221ff604ae0b756776e860e89aef38fd36196

Download Submit
\Users\Admin\AppData\Roaming\PINGetup\cmstHost.exe

MD5
1e7955822908193ef71b1cba83d24af1

SHA1
4e5feccd8ea4d2ebae3725d9baf0befd96138320

SHA256
f77651213bc9949da9be3a871e87820a6d24fe4837d533c79993ae9c1faf7c0a

SHA512
114f5bc637bc9c356e869227fa10b89616b28631e67606b370c6a7d7e09643ae008d871fe92afc7fce7583af7fc221ff604ae0b756776e860e89aef38fd36196

Download Submit
memory/284-75-0x00000000721B1000-0x00000000721B4000-memory.dmp

Filesize
12KB

Download
memory/284-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/284-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/284-74-0x0000000000000000-mapping.dmp

Download
memory/284-76-0x000000006FC31000-0x000000006FC33000-memory.dmp

Filesize
8KB

Download
memory/876-83-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/876-82-0x0000000000000000-mapping.dmp

Download
memory/1096-60-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1096-61-0x0000000000260000-0x00000000002CC000-memory.dmp

Filesize
432KB

Download
memory/1248-78-0x00000000024C0000-0x0000000002503000-memory.dmp

Filesize
268KB

Download
memory/1328-79-0x0000000000170000-0x00000000001DC000-memory.dmp

Filesize
432KB

Download
memory/1364-69-0x0000000000000000-mapping.dmp

Download
memory/1716-77-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download