Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 13:50
Static task
static1
Behavioral task
behavioral1
Sample
dettare-04.22.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
dettare-04.22.2021.doc
Resource
win10v20210410
General
-
Target
dettare-04.22.2021.doc
-
Size
170KB
-
MD5
7a505b0a54691e03015e62dc1424bae9
-
SHA1
c723379191e2b61e00e78e93531a78aea7a4167f
-
SHA256
ef9ce000152d2e164a2ad8b13e427d95c8bf6570f244d837ac969c1548f41e71
-
SHA512
8519d6ac872f23b45aac4f848b64a37a7b62452e3effd471466e36a9831043e7e6468c2bbf3e42111fc7f87dbab1a76341effc5b308704a0028689e9a4ecf1cb
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1588 1868 explorer.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2084 created 1844 2084 WerFault.exe mshta.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1640 1844 WerFault.exe mshta.exe 2084 1844 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE 1868 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WerFault.exepid process 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe 1640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1640 WerFault.exe Token: SeBackupPrivilege 1640 WerFault.exe Token: SeDebugPrivilege 1640 WerFault.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE 1868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 1868 wrote to memory of 1588 1868 WINWORD.EXE explorer.exe PID 1868 wrote to memory of 1588 1868 WINWORD.EXE explorer.exe PID 1500 wrote to memory of 1844 1500 explorer.exe mshta.exe PID 1500 wrote to memory of 1844 1500 explorer.exe mshta.exe PID 1500 wrote to memory of 1844 1500 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dettare-04.22.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer c:\users\public\documentLoadGlobal.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\documentLoadGlobal.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 13323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 12843⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\documentLoadGlobal.htaMD5
337a53f22afe61a4e897c090a4a8f5ad
SHA1068c2dffcf31338fe30afb97f2eaaf15f3fe3113
SHA256bccce6b4e738a51573ad1567e53fc720f4d18230e19858b1c243380d1dee2f2d
SHA5124b288d5d35fc47d6e1963b9d912e5a8d3195616dbbb93374a5b62036d55b7c9b96d9606cedc0219515cdc5557a84b90cfc15b7b69ec9da9e7e267499d1d0d08a
-
memory/1588-180-0x0000000000000000-mapping.dmp
-
memory/1844-183-0x0000000000000000-mapping.dmp
-
memory/1868-116-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/1868-119-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/1868-118-0x00007FF822580000-0x00007FF8250A3000-memory.dmpFilesize
43.1MB
-
memory/1868-122-0x00007FF81C2B0000-0x00007FF81D39E000-memory.dmpFilesize
16.9MB
-
memory/1868-123-0x00007FF81A3B0000-0x00007FF81C2A5000-memory.dmpFilesize
31.0MB
-
memory/1868-147-0x00007FF7FDBB0000-0x00007FF7FDBC0000-memory.dmpFilesize
64KB
-
memory/1868-114-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/1868-181-0x00000256AA0F0000-0x00000256AA0F4000-memory.dmpFilesize
16KB
-
memory/1868-117-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/1868-115-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB