e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1

General

Target

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
Size

1.3MB
MD5

4bda3f8d0cb36b33244afdb071a20860
SHA1

4e66cd9634c417989b6ccd968c310791f0f64e62
SHA256

e16df177681e356ab8a9491e841fa1a757bc40069e2f42493b9238f0584cb9f1
SHA512

a21c70a5c6385f04f0332a548727b375fcc244e570c3e8abc20794acf3115b1c689d812c7c8bf72875003dec1797efb3e877c6af821d0d52bd561f99e481b089

Score

8^/10

macro xlm

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

othvidtiraw.exe

pid process

1988 othvidtiraw.exe

pid	process
1988	othvidtiraw.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc	office_xlm_macros

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2784 WINWORD.EXE
2784 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

othvidtiraw.exe

pid process

1988 othvidtiraw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

othvidtiraw.exe

description pid process

Token: SeDebugPrivilege 1988 othvidtiraw.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2784 WINWORD.EXE
2784 WINWORD.EXE

pid	process
1988	othvidtiraw.exe

description	pid	process
Token: SeDebugPrivilege	1988	othvidtiraw.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

WINWORD.EXE

pid	process
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE
2784	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe

description	pid	process	target process
PID 632 wrote to memory of 2784	632	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 632 wrote to memory of 2784	632	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	WINWORD.EXE
PID 632 wrote to memory of 1988	632	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	othvidtiraw.exe
PID 632 wrote to memory of 1988	632	E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe	othvidtiraw.exe

C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe
"C:\Users\Admin\AppData\Local\Temp\E16DF177681E356AB8A9491E841FA1A757BC40069E2F4.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2784

C:\ProgramData\HPathvwra\othvidtiraw.exe
"C:\ProgramData\HPathvwra\othvidtiraw.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HPathvwra\othvidtiraw.exe
MD5
9d1bafca6df85aa3cab5846ab1408984

SHA1
c25531693b7b45b0a9fadf6c81738b4afd8c28c4

SHA256
012eba6182006cf9772ff509896fc2a929b5fe3062f29ed70c451c8ebd393d27

SHA512
c51273671b857e3df84f0ceaf4628110f918ed84937a0973e9aa5aa3dcbef8aacd729d5587f2c981a8c5d35d601f172e1cb609425ef97bbed35b26d2d9380b41

Download Submit
C:\ProgramData\HPathvwra\othvidtiraw.exe
MD5
9d1bafca6df85aa3cab5846ab1408984

SHA1
c25531693b7b45b0a9fadf6c81738b4afd8c28c4

SHA256
012eba6182006cf9772ff509896fc2a929b5fe3062f29ed70c451c8ebd393d27

SHA512
c51273671b857e3df84f0ceaf4628110f918ed84937a0973e9aa5aa3dcbef8aacd729d5587f2c981a8c5d35d601f172e1cb609425ef97bbed35b26d2d9380b41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\~.sonam kaur.doc
MD5
0e27d177b82ca30ea3b1b2c11f6cf30f

SHA1
f37cf48a0d50303026b38a1c46eb4df02cc01d53

SHA256
0f72243366c4f2bb44abad8e2b3dae07c274fb68812860cdcb33bb47bbf61c2c

SHA512
7d2c91730d64f4d96e446d56fb2c6060a80217e37c79241276e28da6ddda79a6c124c3e45fc3564a38a72f78820f27e7015ce5150a0ef7fba7d26e7839765483

Download Submit
memory/632-116-0x00000129260D0000-0x00000129260D2000-memory.dmp

Filesize
8KB

Download
memory/632-114-0x00000129244A0000-0x00000129244A1000-memory.dmp

Filesize
4KB

Download
memory/1988-128-0x0000000000000000-mapping.dmp

Download
memory/1988-133-0x0000011FB6AC0000-0x0000011FB6AC2000-memory.dmp

Filesize
8KB

Download
memory/1988-131-0x0000011FB43C0000-0x0000011FB43C1000-memory.dmp

Filesize
4KB

Download
memory/2784-120-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-126-0x00007FFADAFC0000-0x00007FFADC0AE000-memory.dmp

Filesize
16.9MB

Download
memory/2784-122-0x00007FFADEA90000-0x00007FFAE15B3000-memory.dmp

Filesize
43.1MB

Download
memory/2784-123-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-121-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-119-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-118-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-127-0x00007FFAD90C0000-0x00007FFADAFB5000-memory.dmp

Filesize
31.0MB

Download
memory/2784-117-0x0000000000000000-mapping.dmp

Download
memory/2784-385-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-386-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-387-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download
memory/2784-388-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads