Analysis
-
max time kernel
101s -
max time network
80s -
platform
windows7_x64 -
resource
win7-en -
submitted
07/09/2021, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
Resource
win10v20210408
General
-
Target
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
-
Size
1.1MB
-
MD5
fc95d7841f298dbe638cbe63d7878d89
-
SHA1
919324ceb106a872866c9b78612094666644b03d
-
SHA256
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78
-
SHA512
b7a581dda18cf09b9b4f69e922244efb90b8494536e1281b01a86a5dcc25cf0a3edc1361895b4bbd305eb8368471a37b811c4ce956f8e047f8aab7365fb2b45f
Malware Config
Extracted
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\ReadMe.txt
Signatures
-
Deletes itself 1 IoCs
pid Process 344 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery.bmp 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery.bmp 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\I: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\F: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Z: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\W: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\S: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\R: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\P: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\H: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\G: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\E: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Y: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Q: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\O: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\N: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\K: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\J: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\V: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\U: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\T: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\M: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\B: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\A: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\X: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Drops file in Program Files directory 40 IoCs
description ioc Process File opened for modification C:\PROGRA~3\MICROS~2\MSOUTL~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\nslist.hxl 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Mozilla\updates\308046~1\UPDATE~1.JSO 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Adobe\Acrobat\9.0\REPLIC~1\Security\DIRECT~1.ACR 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSINFO~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSOIS1~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSGROO~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSSETL~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\DOCUME~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\Hx.hxn 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\HX_103~2.HXW 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSOU~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSWINW~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\APPLIC~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\FAVORI~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\HX_103~1.LCK 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSWINW~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSEXCE~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSPU~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSTO~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSONEN~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\STARTM~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\TEMPLA~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSEXCE~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSGRAP~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSPU~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSPOWE~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Desktop 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\HX_103~1.HXD 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSOUTL~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSPOWE~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSINFO~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSAC~1.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\MSMSAC~2.HXN 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Adobe\Updater6\ADOBEE~2.XML 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\HX_103~1.HXW 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\HX_103~1.HXH 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 668 NOTEPAD.EXE 340 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1892 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe Token: 33 1624 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1624 AUDIODG.EXE Token: 33 1624 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1624 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1892 WINWORD.EXE 1892 WINWORD.EXE 1892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1136 wrote to memory of 344 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 31 PID 1136 wrote to memory of 344 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 31 PID 1136 wrote to memory of 344 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 31 PID 1136 wrote to memory of 344 1136 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\44F0B6~1.BAT2⤵
- Deletes itself
PID:344
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadMe.txt1⤵
- Opens file in notepad (likely ransom note)
PID:668
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1764
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2b81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1892
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ReadMe.txt1⤵
- Opens file in notepad (likely ransom note)
PID:340