Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 09:15
Static task
static1
Behavioral task
behavioral1
Sample
input 05.07.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
input 05.07.2021.doc
Resource
win10v20210408
General
-
Target
input 05.07.2021.doc
-
Size
79KB
-
MD5
3951dd7af5f15dcaf0544089adb9c260
-
SHA1
f02a3bb9c1c9cb99b6d9995e981dc37adda8d7a2
-
SHA256
f69cef31cd670e8cabc1d1ebf38547f91b5ba5c155dc03b82de5ef1b9adc7a10
-
SHA512
68c27dc4496118a8d776c3591abf5d89b97ed915e1af6648fce879b68a06552fce559314f905e616b52495af110ce7459011e1ee22ff3368dac1346b43e530a1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1420 912 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2244 1956 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 912 WINWORD.EXE 912 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe 2244 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2244 WerFault.exe Token: SeBackupPrivilege 2244 WerFault.exe Token: SeDebugPrivilege 2244 WerFault.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE 912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 912 wrote to memory of 1420 912 WINWORD.EXE explorer.exe PID 912 wrote to memory of 1420 912 WINWORD.EXE explorer.exe PID 3048 wrote to memory of 1956 3048 explorer.exe mshta.exe PID 3048 wrote to memory of 1956 3048 explorer.exe mshta.exe PID 3048 wrote to memory of 1956 3048 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\input 05.07.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer c:\users\public\captionProcedureQuery.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\captionProcedureQuery.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 13203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\captionProcedureQuery.htaMD5
71ed29a70f05e45519b3a2bbf68e3f9d
SHA13d29872afa6ee8282cf3843b96b1c29b4d7ed8c2
SHA25682527e0e6eee06cd0ed2a34f63cb13ee2a6c3dd294cee2dcffdb527c23fa7164
SHA5127e0e458275401fbb63f9bcbd114941ed191f2887559eedfdc99beb22f4244df9c14221b68d830168af4da20dd54432764dbec1e374cb7392f07712f4d6ed7953
-
memory/912-114-0x00007FF8EBA40000-0x00007FF8EBA50000-memory.dmpFilesize
64KB
-
memory/912-115-0x00007FF8EBA40000-0x00007FF8EBA50000-memory.dmpFilesize
64KB
-
memory/912-116-0x00007FF8EBA40000-0x00007FF8EBA50000-memory.dmpFilesize
64KB
-
memory/912-117-0x00007FF8EBA40000-0x00007FF8EBA50000-memory.dmpFilesize
64KB
-
memory/912-118-0x00007FF8EBA40000-0x00007FF8EBA50000-memory.dmpFilesize
64KB
-
memory/912-119-0x00007FF90C930000-0x00007FF90F453000-memory.dmpFilesize
43.1MB
-
memory/912-122-0x0000022DA1500000-0x0000022DA25EE000-memory.dmpFilesize
16.9MB
-
memory/912-123-0x00007FF9066E0000-0x00007FF9085D5000-memory.dmpFilesize
31.0MB
-
memory/912-180-0x0000022DB0530000-0x0000022DB0534000-memory.dmpFilesize
16KB
-
memory/1420-179-0x0000000000000000-mapping.dmp
-
memory/1956-182-0x0000000000000000-mapping.dmp