5006f7e335419bd53914bc920c975c869f3e34dff6578d89fb5efa2ec5780ea5

Analysis

max time kernel
7s
max time network
195s
platform
windows7_x64
resource
win7-en-20211014
submitted
07-11-2021 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft offic-.exe
Size

593KB
MD5

8b7f1dcf0caf3efffc01533c96a74549
SHA1

09b79e350615e6c7e0a233adc626f0cf738dac80
SHA256

d8dfcdaa950d6281082e4c0949da37172edf53b51f8403b1d07cfcb4325e9432
SHA512

6740e42db205e9213d49096dbc9578083d5c02bd22c617cd254cfbc0a30dc44a31eed3d643380d16a3280bcc5c911234e157b6b040b319537a4b42092a14aacc

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Microsoft offic-.exe

pid process

332 Microsoft offic-.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
332	Microsoft offic-.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Microsoft offic-.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	332	Microsoft offic-.exe
Token: 33	596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	596	AUDIODG.EXE
Token: 33	596	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	596	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\Microsoft offic-.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft offic-.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1276

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiF4DB.tmp\rxpi.dll
MD5
6ebffeb2812e913df7262e74fe4b2f7d

SHA1
f04982defc13557dc1fd684b5f34ec6286f90ddb

SHA256
c70307f6d22b328d15c33546d9c79dcb32fbb277b13fec0886962ce43adf8b54

SHA512
d81ec401c2f50f7416b255f0a4c674fb07999aacac9dd1163035e475d586cceadd21e9e0114371d173fdf5e23ba8093a4a0bc8287dd907b779dea46aa678d9a6

Download Submit
memory/332-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/828-57-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/828-58-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1276-60-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download