Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
0720a1760ad35b21d11f219b1296495e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0720a1760ad35b21d11f219b1296495e.exe
Resource
win10v20210410
General
-
Target
0720a1760ad35b21d11f219b1296495e.exe
-
Size
2.4MB
-
MD5
0720a1760ad35b21d11f219b1296495e
-
SHA1
b56990e97f273697e8e83970035cddf9882721fd
-
SHA256
42b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07
-
SHA512
9daad20d9934e2d8aa441146e4c28bdfb08dfa08d68becf42bb67c7d50a2b8f990a639583ea96b32e142cb99aa672658eb66a28208375aa33c1f573551090328
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BCXSTZ.lnk 0720a1760ad35b21d11f219b1296495e.exe -
Loads dropped DLL 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exepid process 1100 0720a1760ad35b21d11f219b1296495e.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1420-64-0x0000000000A30000-0x0000000000A51000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run 0720a1760ad35b21d11f219b1296495e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCXSTZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\winnote.exe\"" 0720a1760ad35b21d11f219b1296495e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription pid process target process PID 1420 set thread context of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe -
autoit_exe 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1100-68-0x0000000000426BF7-mapping.dmp autoit_exe behavioral1/memory/1100-69-0x00000000005E0000-0x0000000000726000-memory.dmp autoit_exe behavioral1/memory/1100-74-0x00000000005E0000-0x0000000000726000-memory.dmp autoit_exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 0720a1760ad35b21d11f219b1296495e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 0720a1760ad35b21d11f219b1296495e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 0720a1760ad35b21d11f219b1296495e.exe -
NTFS ADS 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 0720a1760ad35b21d11f219b1296495e.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exe0720a1760ad35b21d11f219b1296495e.exepid process 1420 0720a1760ad35b21d11f219b1296495e.exe 1420 0720a1760ad35b21d11f219b1296495e.exe 1420 0720a1760ad35b21d11f219b1296495e.exe 1100 0720a1760ad35b21d11f219b1296495e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exepid process 1100 0720a1760ad35b21d11f219b1296495e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exedescription pid process Token: SeDebugPrivilege 1420 0720a1760ad35b21d11f219b1296495e.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 740 WINWORD.EXE 740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0720a1760ad35b21d11f219b1296495e.exe0720a1760ad35b21d11f219b1296495e.exeWINWORD.EXEdescription pid process target process PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1420 wrote to memory of 1100 1420 0720a1760ad35b21d11f219b1296495e.exe 0720a1760ad35b21d11f219b1296495e.exe PID 1100 wrote to memory of 740 1100 0720a1760ad35b21d11f219b1296495e.exe WINWORD.EXE PID 1100 wrote to memory of 740 1100 0720a1760ad35b21d11f219b1296495e.exe WINWORD.EXE PID 1100 wrote to memory of 740 1100 0720a1760ad35b21d11f219b1296495e.exe WINWORD.EXE PID 1100 wrote to memory of 740 1100 0720a1760ad35b21d11f219b1296495e.exe WINWORD.EXE PID 740 wrote to memory of 848 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 848 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 848 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 848 740 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"C:\Users\Admin\AppData\Local\Temp\0720a1760ad35b21d11f219b1296495e.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JVBXFQ.rtf"3⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JVBXFQ.rtfMD5
d295c8b2da0c5e453d9f1a38ce851f38
SHA1edecdb3f9570c1903ed9f77d21920825403f3f8c
SHA2569febf652d086e359850c6db8029301729d35723f4e1bc85279ce53fbc32034f4
SHA512b439accc80b93f575589e37e1774a9815f43281597245feff21466ffd6107325324fc78bb57d431f1b8322c9e125b66e799eac6c75afe37208ae2cf92b805a07
-
\Users\Admin\AppData\Roaming\Windata\winnote.exeMD5
0720a1760ad35b21d11f219b1296495e
SHA1b56990e97f273697e8e83970035cddf9882721fd
SHA25642b69d127811ca7706dde5099f967a1502a3192cf4e3d4b0b7cf5660959f7d07
SHA5129daad20d9934e2d8aa441146e4c28bdfb08dfa08d68becf42bb67c7d50a2b8f990a639583ea96b32e142cb99aa672658eb66a28208375aa33c1f573551090328
-
memory/740-75-0x0000000000000000-mapping.dmp
-
memory/740-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/740-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/740-77-0x000000006FB21000-0x000000006FB23000-memory.dmpFilesize
8KB
-
memory/740-76-0x00000000720A1000-0x00000000720A4000-memory.dmpFilesize
12KB
-
memory/848-83-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/848-82-0x0000000000000000-mapping.dmp
-
memory/1100-73-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1100-74-0x00000000005E0000-0x0000000000726000-memory.dmpFilesize
1.3MB
-
memory/1100-69-0x00000000005E0000-0x0000000000726000-memory.dmpFilesize
1.3MB
-
memory/1100-68-0x0000000000426BF7-mapping.dmp
-
memory/1100-67-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/1420-60-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1420-66-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/1420-65-0x0000000002020000-0x000000000202B000-memory.dmpFilesize
44KB
-
memory/1420-64-0x0000000000A30000-0x0000000000A51000-memory.dmpFilesize
132KB
-
memory/1420-62-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB