Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Users/valdershof/AppData/Local/Temp/1/Temp1_request (2).zip/statistics.05.05.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Users/valdershof/AppData/Local/Temp/1/Temp1_request (2).zip/statistics.05.05.21.doc
Resource
win10v20210408
General
-
Target
Users/valdershof/AppData/Local/Temp/1/Temp1_request (2).zip/statistics.05.05.21.doc
-
Size
79KB
-
MD5
5b1f0547ccf84dcbff593f7c8f5942d8
-
SHA1
3e5a4257f797363211724a83b40b42c84396bf47
-
SHA256
643ead4ad454664576dd55236b4d924a91294d155315ec8860af96a6157263d4
-
SHA512
a149e6d4bf6093b3af4fffc14824335a72cff53cea28d27a103f98a450439768ab29f0a532a512364e5b5b726fccb2bc051aaebb145b5ca05680c01c088c7ab6
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1364 640 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2676 904 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2676 WerFault.exe Token: SeBackupPrivilege 2676 WerFault.exe Token: SeDebugPrivilege 2676 WerFault.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 640 wrote to memory of 1364 640 WINWORD.EXE explorer.exe PID 640 wrote to memory of 1364 640 WINWORD.EXE explorer.exe PID 2000 wrote to memory of 904 2000 explorer.exe mshta.exe PID 2000 wrote to memory of 904 2000 explorer.exe mshta.exe PID 2000 wrote to memory of 904 2000 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Users\valdershof\AppData\Local\Temp\1\Temp1_request (2).zip\statistics.05.05.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer c:\users\public\dataTrustRequest.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\dataTrustRequest.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 13203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\dataTrustRequest.htaMD5
8ec163e76fce1f25578d1c05a795b4bc
SHA108a476eeb1cd6eae7e17331bbbcd1adc44168fc3
SHA2561444d45a93a63b2d305ef991e9e78b05405bfdc5e572e735d4c9a8bf9470dcb1
SHA512c1c481c931dc2f4aa8a17be7dd265b82297ae6641057908581fa1fb09aa5c794335f941833e8f1cbbe0b01e18e07dd614c0a5689cd89d632cb42400799d8cb8a
-
memory/640-114-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmpFilesize
64KB
-
memory/640-115-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmpFilesize
64KB
-
memory/640-116-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmpFilesize
64KB
-
memory/640-117-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmpFilesize
64KB
-
memory/640-119-0x00007FFD9F860000-0x00007FFD9F870000-memory.dmpFilesize
64KB
-
memory/640-118-0x00007FFDC0450000-0x00007FFDC2F73000-memory.dmpFilesize
43.1MB
-
memory/640-122-0x00007FFDBC340000-0x00007FFDBD42E000-memory.dmpFilesize
16.9MB
-
memory/640-123-0x00007FFDBA440000-0x00007FFDBC335000-memory.dmpFilesize
31.0MB
-
memory/640-181-0x00000179D2390000-0x00000179D2394000-memory.dmpFilesize
16KB
-
memory/904-182-0x0000000000000000-mapping.dmp
-
memory/1364-179-0x0000000000000000-mapping.dmp