e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1

General

Target

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
Size

1.3MB
MD5

4bda3f8d0cb36b33244afdb071a20860
SHA1

4e66cd9634c417989b6ccd968c310791f0f64e62
SHA256

e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1
SHA512

a21c70a5c6385f04f0332a548727b375fcc244e570c3e8abc20794acf3115b1c689d812c7c8bf72875003dec1797efb3e877c6af821d0d52bd561f99e481b089

Score

8^/10

macro xlm

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

othvidtiraw.exe

pid process

1472 othvidtiraw.exe

pid	process
1472	othvidtiraw.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc	office_xlm_macros

Drops file in Program Files directory 2 IoCs

Processes:

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe

description	ioc	process
File created	C:\PROGRA~3\HPATHV~1\othvidtiraw.exe	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
File opened for modification	C:\PROGRA~3\HPATHV~1\othvidtiraw.exe	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1556 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

othvidtiraw.exe

pid process

1472 othvidtiraw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

othvidtiraw.exe

description pid process

Token: SeDebugPrivilege 1472 othvidtiraw.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1556 WINWORD.EXE
1556 WINWORD.EXE

pid	process
1556	WINWORD.EXE

pid	process
1472	othvidtiraw.exe

description	pid	process
Token: SeDebugPrivilege	1472	othvidtiraw.exe

pid	process
1556	WINWORD.EXE
1556	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exeWINWORD.EXE

description	pid	process	target process
PID 1668 wrote to memory of 1556	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 1668 wrote to memory of 1556	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 1668 wrote to memory of 1556	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 1668 wrote to memory of 1556	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 1556 wrote to memory of 892	1556	WINWORD.EXE	splwow64.exe
PID 1556 wrote to memory of 892	1556	WINWORD.EXE	splwow64.exe
PID 1556 wrote to memory of 892	1556	WINWORD.EXE	splwow64.exe
PID 1556 wrote to memory of 892	1556	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 1472	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	othvidtiraw.exe
PID 1668 wrote to memory of 1472	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	othvidtiraw.exe
PID 1668 wrote to memory of 1472	1668	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	othvidtiraw.exe

C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
"C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:892

C:\ProgramData\HPathvwra\othvidtiraw.exe
"C:\ProgramData\HPathvwra\othvidtiraw.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HPathvwra\othvidtiraw.exe
MD5
ecc8484da9a95060e49169cda83227b1

SHA1
a6689067904a3cd992efa151ba2bff1a63e27d3e

SHA256
538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89

SHA512
119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a

Download Submit
C:\ProgramData\HPathvwra\othvidtiraw.exe
MD5
ecc8484da9a95060e49169cda83227b1

SHA1
a6689067904a3cd992efa151ba2bff1a63e27d3e

SHA256
538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89

SHA512
119b6f86c5c0b80209916fec6cf79e1e4f0f8c80ed719bc1dfdade9805012aa75aeaf76e2ace240fc2c3245e7c9446513689fb94174b46932c3359e992ea5b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc
MD5
0e27d177b82ca30ea3b1b2c11f6cf30f

SHA1
f37cf48a0d50303026b38a1c46eb4df02cc01d53

SHA256
0f72243366c4f2bb44abad8e2b3dae07c274fb68812860cdcb33bb47bbf61c2c

SHA512
7d2c91730d64f4d96e446d56fb2c6060a80217e37c79241276e28da6ddda79a6c124c3e45fc3564a38a72f78820f27e7015ce5150a0ef7fba7d26e7839765483

Download Submit
memory/892-68-0x0000000000000000-mapping.dmp

Download
memory/892-69-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1472-74-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1472-73-0x000007FEEAFA0000-0x000007FEEC036000-memory.dmp

Filesize
16.6MB

Download
memory/1472-75-0x00000000009A6000-0x00000000009C5000-memory.dmp

Filesize
124KB

Download
memory/1556-66-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1556-63-0x00000000726F1000-0x00000000726F4000-memory.dmp

Filesize
12KB

Download
memory/1556-65-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1556-62-0x0000000000000000-mapping.dmp

Download
memory/1556-64-0x0000000070171000-0x0000000070173000-memory.dmp

Filesize
8KB

Download
memory/1556-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1668-59-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x000000001B210000-0x000000001B212000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads