Analysis
-
max time kernel
149s -
max time network
191s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-07-2021 23:03
Static task
static1
Behavioral task
behavioral1
Sample
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
Resource
win7v20210408
General
-
Target
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
-
Size
1.3MB
-
MD5
4bda3f8d0cb36b33244afdb071a20860
-
SHA1
4e66cd9634c417989b6ccd968c310791f0f64e62
-
SHA256
e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1
-
SHA512
a21c70a5c6385f04f0332a548727b375fcc244e570c3e8abc20794acf3115b1c689d812c7c8bf72875003dec1797efb3e877c6af821d0d52bd561f99e481b089
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
othvidtiraw.exepid process 1876 othvidtiraw.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc office_xlm_macros -
Drops file in Program Files directory 2 IoCs
Processes:
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exedescription ioc process File created C:\PROGRA~3\HPATHV~1\othvidtiraw.exe E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe File opened for modification C:\PROGRA~3\HPATHV~1\othvidtiraw.exe E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1532 WINWORD.EXE 1532 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exeWINWORD.EXEdescription pid process target process PID 320 wrote to memory of 1532 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 320 wrote to memory of 1532 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 320 wrote to memory of 1532 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 320 wrote to memory of 1532 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 1532 wrote to memory of 1452 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1452 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1452 1532 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1452 1532 WINWORD.EXE splwow64.exe PID 320 wrote to memory of 1876 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe PID 320 wrote to memory of 1876 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe PID 320 wrote to memory of 1876 320 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\ProgramData\HPathvwra\othvidtiraw.exe"C:\ProgramData\HPathvwra\othvidtiraw.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HPathvwra\othvidtiraw.exeMD5
ecc8484da9a95060e49169cda83227b1
SHA1a6689067904a3cd992efa151ba2bff1a63e27d3e
SHA256538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
SHA512119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a
-
C:\ProgramData\HPathvwra\othvidtiraw.exeMD5
ecc8484da9a95060e49169cda83227b1
SHA1a6689067904a3cd992efa151ba2bff1a63e27d3e
SHA256538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
SHA512119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.docMD5
0e27d177b82ca30ea3b1b2c11f6cf30f
SHA1f37cf48a0d50303026b38a1c46eb4df02cc01d53
SHA2560f72243366c4f2bb44abad8e2b3dae07c274fb68812860cdcb33bb47bbf61c2c
SHA5127d2c91730d64f4d96e446d56fb2c6060a80217e37c79241276e28da6ddda79a6c124c3e45fc3564a38a72f78820f27e7015ce5150a0ef7fba7d26e7839765483
-
memory/320-61-0x000000001B470000-0x000000001B472000-memory.dmpFilesize
8KB
-
memory/320-59-0x0000000001040000-0x0000000001041000-memory.dmpFilesize
4KB
-
memory/1452-68-0x0000000000000000-mapping.dmp
-
memory/1452-69-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/1532-66-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/1532-65-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1532-64-0x000000006FAC1000-0x000000006FAC3000-memory.dmpFilesize
8KB
-
memory/1532-63-0x0000000072041000-0x0000000072044000-memory.dmpFilesize
12KB
-
memory/1532-62-0x0000000000000000-mapping.dmp
-
memory/1532-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1876-70-0x0000000000000000-mapping.dmp
-
memory/1876-73-0x0000000000510000-0x0000000000512000-memory.dmpFilesize
8KB
-
memory/1876-74-0x000007FEEAAB0000-0x000007FEEBB46000-memory.dmpFilesize
16.6MB
-
memory/1876-75-0x0000000000516000-0x0000000000535000-memory.dmpFilesize
124KB