Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
02-02-2021 00:18
Static task
static1
Behavioral task
behavioral1
Sample
specifics_02.01.2021.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
specifics_02.01.2021.doc
Resource
win10v20201028
General
-
Target
specifics_02.01.2021.doc
-
Size
75KB
-
MD5
68ced19043e3f6f97fb8b4624f02a8e9
-
SHA1
e2975e9f468ce3158c9f7f90decc680a70ae7234
-
SHA256
0c9bf697ea913a97283d559bdd59fe83fef51a5038797dbfc9a8a7835f2968d6
-
SHA512
82dd4fecc9e3245b7c8b7f2db6ee43bbbeccc0eb10b1a108d313bedc4750482de02f3a6bd15f8512b738e2ef02c0a353c8d60c08a1574b53ee350d2d0fae67c9
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1436 728 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 30 1800 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 728 WINWORD.EXE 728 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 728 wrote to memory of 1436 728 WINWORD.EXE explorer.exe PID 728 wrote to memory of 1436 728 WINWORD.EXE explorer.exe PID 2224 wrote to memory of 1800 2224 explorer.exe mshta.exe PID 2224 wrote to memory of 1800 2224 explorer.exe mshta.exe PID 2224 wrote to memory of 1800 2224 explorer.exe mshta.exe PID 1800 wrote to memory of 2136 1800 mshta.exe regsvr32.exe PID 1800 wrote to memory of 2136 1800 mshta.exe regsvr32.exe PID 1800 wrote to memory of 2136 1800 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\specifics_02.01.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\explorer.exeexplorer c:\programdata\aSziC.hta2⤵
- Process spawned unexpected child process
PID:1436
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\aSziC.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\programdata\aSziC.tmp3⤵PID:2136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aSziC.htaMD5
93de516d42854befc910a63c508aa44f
SHA196b5bc26f3df6d0e611b8e20641840d3a4fd9b15
SHA25642e11567c6b657683163aac63975452398126236839860979c0abaabbd8b5a10
SHA512df63fda9f6153fa71746c4670bc6469a14a4d649933fa517639da79381385436a305a7d24d78216903a6d81cde18d196b96f984a8aee8ad2f5e64ac73cf8c1d0
-
\??\c:\programdata\aSziC.tmpMD5
f048b70a6033069cf619ac435b87100b
SHA159559603bd9bea22084ea1ba5b4acb6ffcd0f5d8
SHA256fbe62ef64bf4525a5be63ff164e040791087f2fcee620a7a99bdffa9167caaa6
SHA51298d1a0b609b54ed2545c7be560b14f2f81a7a60dc0b480f5879080534784b303a2e6e7aceb18690341c447a70d29529949129a39473d68c71c83bf975d8f1107
-
memory/728-2-0x00007FF97B640000-0x00007FF97B650000-memory.dmpFilesize
64KB
-
memory/728-3-0x00007FF97B640000-0x00007FF97B650000-memory.dmpFilesize
64KB
-
memory/728-4-0x00007FF97B640000-0x00007FF97B650000-memory.dmpFilesize
64KB
-
memory/728-5-0x00007FF97B640000-0x00007FF97B650000-memory.dmpFilesize
64KB
-
memory/728-6-0x00007FF99AED0000-0x00007FF99B507000-memory.dmpFilesize
6.2MB
-
memory/728-7-0x000001D69A7D0000-0x000001D69A7D4000-memory.dmpFilesize
16KB
-
memory/1436-8-0x0000000000000000-mapping.dmp
-
memory/1800-10-0x0000000000000000-mapping.dmp
-
memory/2136-11-0x0000000000000000-mapping.dmp