Analysis
-
max time kernel
122s -
max time network
169s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-07-2021 22:11
Static task
static1
Behavioral task
behavioral1
Sample
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
Resource
win7v20210410
General
-
Target
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
-
Size
1.3MB
-
MD5
4bda3f8d0cb36b33244afdb071a20860
-
SHA1
4e66cd9634c417989b6ccd968c310791f0f64e62
-
SHA256
e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1
-
SHA512
a21c70a5c6385f04f0332a548727b375fcc244e570c3e8abc20794acf3115b1c689d812c7c8bf72875003dec1797efb3e877c6af821d0d52bd561f99e481b089
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
othvidtiraw.exepid process 1472 othvidtiraw.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc office_xlm_macros -
Drops file in Program Files directory 2 IoCs
Processes:
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exedescription ioc process File created C:\PROGRA~3\HPATHV~1\othvidtiraw.exe E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe File opened for modification C:\PROGRA~3\HPATHV~1\othvidtiraw.exe E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1556 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
othvidtiraw.exepid process 1472 othvidtiraw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
othvidtiraw.exedescription pid process Token: SeDebugPrivilege 1472 othvidtiraw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1556 WINWORD.EXE 1556 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exeWINWORD.EXEdescription pid process target process PID 1668 wrote to memory of 1556 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 1668 wrote to memory of 1556 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 1668 wrote to memory of 1556 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 1668 wrote to memory of 1556 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe WINWORD.EXE PID 1556 wrote to memory of 892 1556 WINWORD.EXE splwow64.exe PID 1556 wrote to memory of 892 1556 WINWORD.EXE splwow64.exe PID 1556 wrote to memory of 892 1556 WINWORD.EXE splwow64.exe PID 1556 wrote to memory of 892 1556 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 1472 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe PID 1668 wrote to memory of 1472 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe PID 1668 wrote to memory of 1472 1668 E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe othvidtiraw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\ProgramData\HPathvwra\othvidtiraw.exe"C:\ProgramData\HPathvwra\othvidtiraw.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HPathvwra\othvidtiraw.exeMD5
ecc8484da9a95060e49169cda83227b1
SHA1a6689067904a3cd992efa151ba2bff1a63e27d3e
SHA256538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
SHA512119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a
-
C:\ProgramData\HPathvwra\othvidtiraw.exeMD5
ecc8484da9a95060e49169cda83227b1
SHA1a6689067904a3cd992efa151ba2bff1a63e27d3e
SHA256538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
SHA512119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.docMD5
0e27d177b82ca30ea3b1b2c11f6cf30f
SHA1f37cf48a0d50303026b38a1c46eb4df02cc01d53
SHA2560f72243366c4f2bb44abad8e2b3dae07c274fb68812860cdcb33bb47bbf61c2c
SHA5127d2c91730d64f4d96e446d56fb2c6060a80217e37c79241276e28da6ddda79a6c124c3e45fc3564a38a72f78820f27e7015ce5150a0ef7fba7d26e7839765483
-
memory/892-68-0x0000000000000000-mapping.dmp
-
memory/892-69-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/1472-74-0x00000000009A0000-0x00000000009A2000-memory.dmpFilesize
8KB
-
memory/1472-70-0x0000000000000000-mapping.dmp
-
memory/1472-73-0x000007FEEAFA0000-0x000007FEEC036000-memory.dmpFilesize
16.6MB
-
memory/1472-75-0x00000000009A6000-0x00000000009C5000-memory.dmpFilesize
124KB
-
memory/1556-66-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1556-63-0x00000000726F1000-0x00000000726F4000-memory.dmpFilesize
12KB
-
memory/1556-65-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1556-62-0x0000000000000000-mapping.dmp
-
memory/1556-64-0x0000000070171000-0x0000000070173000-memory.dmpFilesize
8KB
-
memory/1556-76-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1668-59-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1668-61-0x000000001B210000-0x000000001B212000-memory.dmpFilesize
8KB