d7dfa1cecb7a67884414e33168940138e79e97e176d481ccee5ccc0e70a6f5f3

Analysis

max time kernel
958s
max time network
963s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
02/02/2023, 16:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/OInstall.exe
Size

10.9MB
MD5

ebc58647462ad9c76395ef451064d115
SHA1

14e470812f13b278b2694a4cec5737a39784e9dd
SHA256

414155bf11893ec64ba0f4ffb7de92885090845a0761cf8f6743462aa5991d5e
SHA512

8a9ef093d151957ae3c4c8e572fcdbd2198398c95ff8186d532853856c12c8f9ae7408c4f24518c5903faa517ea4e1d5779e797c5a4d850073fbee3ab801e8cc
SSDEEP

196608:2ZnMGjZsDEsCaYsGEHy61bgUhufRswPU2/V8Gd83/PALDP0PiaQxhwf+9zYul28S:WnjZhsCOU6ZgfPPPuGdnv0fzfoDYtB

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-133-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral2/memory/4896-137-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral2/memory/4896-138-0x0000000000400000-0x000000000199D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4896	OInstall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3496	WMIC.exe
Token: SeSecurityPrivilege	3496	WMIC.exe
Token: SeTakeOwnershipPrivilege	3496	WMIC.exe
Token: SeLoadDriverPrivilege	3496	WMIC.exe
Token: SeSystemProfilePrivilege	3496	WMIC.exe
Token: SeSystemtimePrivilege	3496	WMIC.exe
Token: SeProfSingleProcessPrivilege	3496	WMIC.exe
Token: SeIncBasePriorityPrivilege	3496	WMIC.exe
Token: SeCreatePagefilePrivilege	3496	WMIC.exe
Token: SeBackupPrivilege	3496	WMIC.exe
Token: SeRestorePrivilege	3496	WMIC.exe
Token: SeShutdownPrivilege	3496	WMIC.exe
Token: SeDebugPrivilege	3496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3496	WMIC.exe
Token: SeRemoteShutdownPrivilege	3496	WMIC.exe
Token: SeUndockPrivilege	3496	WMIC.exe
Token: SeManageVolumePrivilege	3496	WMIC.exe
Token: 33	3496	WMIC.exe
Token: 34	3496	WMIC.exe
Token: 35	3496	WMIC.exe
Token: 36	3496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe
Token: 35	4364	WMIC.exe
Token: 36	4364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4872	4896	OInstall.exe	81
PID 4896 wrote to memory of 4872	4896	OInstall.exe	81
PID 4872 wrote to memory of 3496	4872	cmd.exe	83
PID 4872 wrote to memory of 3496	4872	cmd.exe	83
PID 4896 wrote to memory of 2488	4896	OInstall.exe	85
PID 4896 wrote to memory of 2488	4896	OInstall.exe	85
PID 2488 wrote to memory of 4364	2488	cmd.exe	87
PID 2488 wrote to memory of 4364	2488	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x308
1⤵
PID:3088

Network

DNS

106.89.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

106.89.54.20.in-addr.arpa

IN PTR

Response
DNS

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

8.238.20.126:80

322 B
7
104.80.225.205:443

322 B
7
20.42.72.131:443

322 B
7
8.238.20.126:80

322 B
7
8.238.20.126:80

322 B
7
8.238.20.126:80

322 B
7

8.8.8.8:53

106.89.54.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

106.89.54.20.in-addr.arpa
8.8.8.8:53

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4896-133-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/4896-137-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/4896-138-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download