Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
inquiry,05.05.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
inquiry,05.05.2021.doc
Resource
win10v20210408
General
-
Target
inquiry,05.05.2021.doc
-
Size
79KB
-
MD5
a60f00b085daf1454fc229164be49862
-
SHA1
71adf78e05ff5af07d9dd6154c1ea0695a013eb6
-
SHA256
21905e3b19ea3c56637b8c5315cbe422c78d7d8fa48ff6358057b305e748cbfb
-
SHA512
5194f26b1428ba7de66682bf9907c303024faed51797e8d6f4aefe0daf5b8a78727777930e00c1bed015477a4195f9d12cf84de320c7905596e99c17960394f8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3812 4044 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1188 696 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4044 WINWORD.EXE 4044 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1188 WerFault.exe Token: SeBackupPrivilege 1188 WerFault.exe Token: SeDebugPrivilege 1188 WerFault.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE 4044 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 4044 wrote to memory of 3812 4044 WINWORD.EXE explorer.exe PID 4044 wrote to memory of 3812 4044 WINWORD.EXE explorer.exe PID 2296 wrote to memory of 696 2296 explorer.exe mshta.exe PID 2296 wrote to memory of 696 2296 explorer.exe mshta.exe PID 2296 wrote to memory of 696 2296 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\inquiry,05.05.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\explorer.exeexplorer c:\users\public\sizeTitleVariable.hta2⤵
- Process spawned unexpected child process
PID:3812
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\sizeTitleVariable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 13323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\sizeTitleVariable.htaMD5
89839109321fbc3a3fe65e7ac7a2d04d
SHA170d35025dc06c3cfaae47b0ce3cd4883531afca2
SHA256854714aa6bb0d8bd26a5c7ffbc3bcb394c828fdaa169711656e8349979e8b404
SHA5122f6a6567b2743575b594f1f06382aed996b7d19aca0946a5828bdf294a6c4ed8e04703eba61344a4a99e0110ba2190d0ae2d1e06cc6eced79cbd565e0f0df740
-
memory/696-182-0x0000000000000000-mapping.dmp
-
memory/3812-179-0x0000000000000000-mapping.dmp
-
memory/4044-114-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmpFilesize
64KB
-
memory/4044-115-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmpFilesize
64KB
-
memory/4044-116-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmpFilesize
64KB
-
memory/4044-117-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmpFilesize
64KB
-
memory/4044-119-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmpFilesize
64KB
-
memory/4044-118-0x00007FFB7D030000-0x00007FFB7FB53000-memory.dmpFilesize
43.1MB
-
memory/4044-122-0x00007FFB775A0000-0x00007FFB7868E000-memory.dmpFilesize
16.9MB
-
memory/4044-123-0x00007FFB756A0000-0x00007FFB77595000-memory.dmpFilesize
31.0MB
-
memory/4044-181-0x00000192E80E0000-0x00000192E80E4000-memory.dmpFilesize
16KB