Overview

overview

10

Static

static

8

dettare-04...21.doc

windows7_x64

10

dettare-04...21.doc

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-04-2021 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dettare-04.22.2021.doc

  • Size

    170KB

  • MD5

    7a505b0a54691e03015e62dc1424bae9

  • SHA1

    c723379191e2b61e00e78e93531a78aea7a4167f

  • SHA256

    ef9ce000152d2e164a2ad8b13e427d95c8bf6570f244d837ac969c1548f41e71

  • SHA512

    8519d6ac872f23b45aac4f848b64a37a7b62452e3effd471466e36a9831043e7e6468c2bbf3e42111fc7f87dbab1a76341effc5b308704a0028689e9a4ecf1cb

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dettare-04.22.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\explorer.exe
      explorer c:\users\public\documentLoadGlobal.hta
      2⤵
      • Process spawned unexpected child process
      PID:1588
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\documentLoadGlobal.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
        PID:1844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1332
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 1284
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          PID:2084

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\documentLoadGlobal.hta
      MD5

      337a53f22afe61a4e897c090a4a8f5ad

      SHA1

      068c2dffcf31338fe30afb97f2eaaf15f3fe3113

      SHA256

      bccce6b4e738a51573ad1567e53fc720f4d18230e19858b1c243380d1dee2f2d

      SHA512

      4b288d5d35fc47d6e1963b9d912e5a8d3195616dbbb93374a5b62036d55b7c9b96d9606cedc0219515cdc5557a84b90cfc15b7b69ec9da9e7e267499d1d0d08a

      Download Submit
    • memory/1588-180-0x0000000000000000-mapping.dmp
      Download
    • memory/1844-183-0x0000000000000000-mapping.dmp
      Download
    • memory/1868-116-0x00007FF800890000-0x00007FF8008A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1868-119-0x00007FF800890000-0x00007FF8008A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1868-118-0x00007FF822580000-0x00007FF8250A3000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/1868-122-0x00007FF81C2B0000-0x00007FF81D39E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/1868-123-0x00007FF81A3B0000-0x00007FF81C2A5000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/1868-147-0x00007FF7FDBB0000-0x00007FF7FDBC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1868-114-0x00007FF800890000-0x00007FF8008A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1868-181-0x00000256AA0F0000-0x00000256AA0F4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1868-117-0x00007FF800890000-0x00007FF8008A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1868-115-0x00007FF800890000-0x00007FF8008A0000-memory.dmp
      Filesize

      64KB

      Download