Overview
overview
7Static
static
7OFFICE21.rar
windows10-2004-x64
3MICROSOFT ...ll.exe
windows10-2004-x64
7out.exe
windows10-2004-x64
MICROSOFT ...un.inf
windows10-2004-x64
1MICROSOFT ...re.xml
windows10-2004-x64
1MICROSOFT ...ll.xml
windows10-2004-x64
1MICROSOFT ...pp.exe
windows10-2004-x64
1MICROSOFT ...00.dll
windows10-2004-x64
3MICROSOFT ...pp.exe
windows10-2004-x64
1MICROSOFT ...00.dll
windows10-2004-x64
3Analysis
-
max time kernel
958s -
max time network
963s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-es -
resource tags
arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
02-02-2023 16:34
Behavioral task
behavioral1
Sample
OFFICE21.rar
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral2
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/OInstall.exe
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
out.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral4
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/autorun.inf
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral5
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/Configure.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral6
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/Uninstall.xml
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral7
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/x64/cleanospp.exe
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral8
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/x64/msvcr100.dll
Resource
win10v2004-20221111-es
windows10-2004-x64
Behavioral task
behavioral9
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/x86/cleanospp.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral10
Sample
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/files/x86/msvcr100.dll
Resource
win10v2004-20220812-es
windows10-2004-x64
General
-
Target
MICROSOFT OFFICE 2021 JULIANTECNOLOGICO/MICROSOFT OFFICE 2021 PRO PLUS/OInstall.exe
-
Size
10.9MB
-
MD5
ebc58647462ad9c76395ef451064d115
-
SHA1
14e470812f13b278b2694a4cec5737a39784e9dd
-
SHA256
414155bf11893ec64ba0f4ffb7de92885090845a0761cf8f6743462aa5991d5e
-
SHA512
8a9ef093d151957ae3c4c8e572fcdbd2198398c95ff8186d532853856c12c8f9ae7408c4f24518c5903faa517ea4e1d5779e797c5a4d850073fbee3ab801e8cc
-
SSDEEP
196608:2ZnMGjZsDEsCaYsGEHy61bgUhufRswPU2/V8Gd83/PALDP0PiaQxhwf+9zYul28S:WnjZhsCOU6ZgfPPPuGdnv0fzfoDYtB
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4896-133-0x0000000000400000-0x000000000199D000-memory.dmp upx behavioral2/memory/4896-137-0x0000000000400000-0x000000000199D000-memory.dmp upx behavioral2/memory/4896-138-0x0000000000400000-0x000000000199D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4896 OInstall.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe Token: SeSecurityPrivilege 3496 WMIC.exe Token: SeTakeOwnershipPrivilege 3496 WMIC.exe Token: SeLoadDriverPrivilege 3496 WMIC.exe Token: SeSystemProfilePrivilege 3496 WMIC.exe Token: SeSystemtimePrivilege 3496 WMIC.exe Token: SeProfSingleProcessPrivilege 3496 WMIC.exe Token: SeIncBasePriorityPrivilege 3496 WMIC.exe Token: SeCreatePagefilePrivilege 3496 WMIC.exe Token: SeBackupPrivilege 3496 WMIC.exe Token: SeRestorePrivilege 3496 WMIC.exe Token: SeShutdownPrivilege 3496 WMIC.exe Token: SeDebugPrivilege 3496 WMIC.exe Token: SeSystemEnvironmentPrivilege 3496 WMIC.exe Token: SeRemoteShutdownPrivilege 3496 WMIC.exe Token: SeUndockPrivilege 3496 WMIC.exe Token: SeManageVolumePrivilege 3496 WMIC.exe Token: 33 3496 WMIC.exe Token: 34 3496 WMIC.exe Token: 35 3496 WMIC.exe Token: 36 3496 WMIC.exe Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe Token: SeSecurityPrivilege 3496 WMIC.exe Token: SeTakeOwnershipPrivilege 3496 WMIC.exe Token: SeLoadDriverPrivilege 3496 WMIC.exe Token: SeSystemProfilePrivilege 3496 WMIC.exe Token: SeSystemtimePrivilege 3496 WMIC.exe Token: SeProfSingleProcessPrivilege 3496 WMIC.exe Token: SeIncBasePriorityPrivilege 3496 WMIC.exe Token: SeCreatePagefilePrivilege 3496 WMIC.exe Token: SeBackupPrivilege 3496 WMIC.exe Token: SeRestorePrivilege 3496 WMIC.exe Token: SeShutdownPrivilege 3496 WMIC.exe Token: SeDebugPrivilege 3496 WMIC.exe Token: SeSystemEnvironmentPrivilege 3496 WMIC.exe Token: SeRemoteShutdownPrivilege 3496 WMIC.exe Token: SeUndockPrivilege 3496 WMIC.exe Token: SeManageVolumePrivilege 3496 WMIC.exe Token: 33 3496 WMIC.exe Token: 34 3496 WMIC.exe Token: 35 3496 WMIC.exe Token: 36 3496 WMIC.exe Token: SeIncreaseQuotaPrivilege 4364 WMIC.exe Token: SeSecurityPrivilege 4364 WMIC.exe Token: SeTakeOwnershipPrivilege 4364 WMIC.exe Token: SeLoadDriverPrivilege 4364 WMIC.exe Token: SeSystemProfilePrivilege 4364 WMIC.exe Token: SeSystemtimePrivilege 4364 WMIC.exe Token: SeProfSingleProcessPrivilege 4364 WMIC.exe Token: SeIncBasePriorityPrivilege 4364 WMIC.exe Token: SeCreatePagefilePrivilege 4364 WMIC.exe Token: SeBackupPrivilege 4364 WMIC.exe Token: SeRestorePrivilege 4364 WMIC.exe Token: SeShutdownPrivilege 4364 WMIC.exe Token: SeDebugPrivilege 4364 WMIC.exe Token: SeSystemEnvironmentPrivilege 4364 WMIC.exe Token: SeRemoteShutdownPrivilege 4364 WMIC.exe Token: SeUndockPrivilege 4364 WMIC.exe Token: SeManageVolumePrivilege 4364 WMIC.exe Token: 33 4364 WMIC.exe Token: 34 4364 WMIC.exe Token: 35 4364 WMIC.exe Token: 36 4364 WMIC.exe Token: SeIncreaseQuotaPrivilege 4364 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4872 4896 OInstall.exe 81 PID 4896 wrote to memory of 4872 4896 OInstall.exe 81 PID 4872 wrote to memory of 3496 4872 cmd.exe 83 PID 4872 wrote to memory of 3496 4872 cmd.exe 83 PID 4896 wrote to memory of 2488 4896 OInstall.exe 85 PID 4896 wrote to memory of 2488 4896 OInstall.exe 85 PID 2488 wrote to memory of 4364 2488 cmd.exe 87 PID 2488 wrote to memory of 4364 2488 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\OInstall.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\files"2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\MICROSOFT OFFICE 2021 JULIANTECNOLOGICO\MICROSOFT OFFICE 2021 PRO PLUS\files"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x3081⤵PID:3088