a8fa2bc68cf2b47965315c68bcde06cd09c139e4c8bd61efec7c0a533202308e

General

Target

Users/valdershof/AppData/Local/Temp/1/Temp1_request (2).zip/statistics.05.05.21.doc
Size

79KB
MD5

5b1f0547ccf84dcbff593f7c8f5942d8
SHA1

3e5a4257f797363211724a83b40b42c84396bf47
SHA256

643ead4ad454664576dd55236b4d924a91294d155315ec8860af96a6157263d4
SHA512

a149e6d4bf6093b3af4fffc14824335a72cff53cea28d27a103f98a450439768ab29f0a532a512364e5b5b726fccb2bc051aaebb145b5ca05680c01c088c7ab6

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1364	640	explorer.exe	WINWORD.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2676 904 WerFault.exe mshta.exe

pid	pid_target	process	target process
2676	904	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

640 WINWORD.EXE
640 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2676 WerFault.exe
Token: SeBackupPrivilege 2676 WerFault.exe
Token: SeDebugPrivilege 2676 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	2676	WerFault.exe
Token: SeBackupPrivilege	2676	WerFault.exe
Token: SeDebugPrivilege	2676	WerFault.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXEexplorer.exe

description	pid	process	target process
PID 640 wrote to memory of 1364	640	WINWORD.EXE	explorer.exe
PID 640 wrote to memory of 1364	640	WINWORD.EXE	explorer.exe
PID 2000 wrote to memory of 904	2000	explorer.exe	mshta.exe
PID 2000 wrote to memory of 904	2000	explorer.exe	mshta.exe
PID 2000 wrote to memory of 904	2000	explorer.exe	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Users\valdershof\AppData\Local\Temp\1\Temp1_request (2).zip\statistics.05.05.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\explorer.exe
explorer c:\users\public\dataTrustRequest.hta
2⤵
- Process spawned unexpected child process
PID:1364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\dataTrustRequest.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1320
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\dataTrustRequest.hta
MD5
8ec163e76fce1f25578d1c05a795b4bc

SHA1
08a476eeb1cd6eae7e17331bbbcd1adc44168fc3

SHA256
1444d45a93a63b2d305ef991e9e78b05405bfdc5e572e735d4c9a8bf9470dcb1

SHA512
c1c481c931dc2f4aa8a17be7dd265b82297ae6641057908581fa1fb09aa5c794335f941833e8f1cbbe0b01e18e07dd614c0a5689cd89d632cb42400799d8cb8a

Download Submit
memory/640-114-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-115-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-116-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-117-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-119-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmp

Filesize
64KB

Download
memory/640-118-0x00007FFDC0450000-0x00007FFDC2F73000-memory.dmp

Filesize
43.1MB

Download
memory/640-122-0x00007FFDBC340000-0x00007FFDBD42E000-memory.dmp

Filesize
16.9MB

Download
memory/640-123-0x00007FFDBA440000-0x00007FFDBC335000-memory.dmp

Filesize
31.0MB

Download
memory/640-181-0x00000179D2390000-0x00000179D2394000-memory.dmp

Filesize
16KB

Download
memory/904-182-0x0000000000000000-mapping.dmp

Download
memory/1364-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads