Analysis
-
max time kernel
75s -
max time network
34s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
10-05-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
document.docm
Resource
win7v20210408
Behavioral task
behavioral2
Sample
document.docm
Resource
win10v20210410
General
-
Target
document.docm
-
Size
68KB
-
MD5
da3992522a61736e5dbc5c32978f05fe
-
SHA1
670f0d608571fa8d799a98232cf2c16e8ccb9289
-
SHA256
e6afaabd1e4a2c7adeedca6ee0ed095271a53a293162e3cf7ed52d570279258e
-
SHA512
a2c3eee48add8eabf4fbe86a9e699fda302c143823f6ea3a629becf03d3d539aacfeabce52514e4b73e0db6d827031aec13e576a113f0aec92d0f7eb92f1c32a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 428 688 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exeflow pid process 5 428 mshta.exe 6 428 mshta.exe 8 428 mshta.exe 9 428 mshta.exe 10 428 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
task-8764.exepid process 316 task-8764.exe -
Loads dropped DLL 1 IoCs
Processes:
mshta.exepid process 428 mshta.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WINWORD.EXEdescription ioc process File opened (read-only) \??\Z: WINWORD.EXE File opened (read-only) \??\A: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE File opened (read-only) \??\K: WINWORD.EXE File opened (read-only) \??\N: WINWORD.EXE File opened (read-only) \??\Q: WINWORD.EXE File opened (read-only) \??\S: WINWORD.EXE File opened (read-only) \??\V: WINWORD.EXE File opened (read-only) \??\B: WINWORD.EXE File opened (read-only) \??\F: WINWORD.EXE File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\L: WINWORD.EXE File opened (read-only) \??\R: WINWORD.EXE File opened (read-only) \??\Y: WINWORD.EXE File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\M: WINWORD.EXE File opened (read-only) \??\O: WINWORD.EXE File opened (read-only) \??\T: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\P: WINWORD.EXE File opened (read-only) \??\U: WINWORD.EXE File opened (read-only) \??\W: WINWORD.EXE File opened (read-only) \??\X: WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 22 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43D5AE92-4332-477C-8883-E0B3B063C5D2}\ = "IWMPWindow" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CEA03A2-D0C5-4E97-9C38-A676A639A51D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\FLAGS WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\FLAGS\ = "4" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\0 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\0\win32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43D5AE92-4332-477C-8883-E0B3B063C5D2} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43D5AE92-4332-477C-8883-E0B3B063C5D2} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CEA03A2-D0C5-4E97-9C38-A676A639A51D}\ = "IWMPSkinList" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\WMPLib.exd" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\HELPDIR WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{946B023E-044C-4473-8018-74954F09DC7E} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{946B023E-044C-4473-8018-74954F09DC7E}\ = "IWMPHoverPreviewDispatch" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{946B023E-044C-4473-8018-74954F09DC7E} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8CEA03A2-D0C5-4E97-9C38-A676A639A51D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\ = "Windows Media Player" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{976F023A-8884-45A0-B53B-B90A7EABF91D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43D5AE92-4332-477C-8883-E0B3B063C5D2}\ = "IWMPWindow" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{946B023E-044C-4473-8018-74954F09DC7E}\ = "IWMPHoverPreviewDispatch" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8CEA03A2-D0C5-4E97-9C38-A676A639A51D}\ = "IWMPSkinList" WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 688 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 688 WINWORD.EXE 688 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 688 WINWORD.EXE 688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 688 wrote to memory of 1668 688 WINWORD.EXE splwow64.exe PID 688 wrote to memory of 1668 688 WINWORD.EXE splwow64.exe PID 688 wrote to memory of 1668 688 WINWORD.EXE splwow64.exe PID 688 wrote to memory of 1668 688 WINWORD.EXE splwow64.exe PID 688 wrote to memory of 428 688 WINWORD.EXE mshta.exe PID 688 wrote to memory of 428 688 WINWORD.EXE mshta.exe PID 688 wrote to memory of 428 688 WINWORD.EXE mshta.exe PID 688 wrote to memory of 428 688 WINWORD.EXE mshta.exe PID 428 wrote to memory of 316 428 mshta.exe task-8764.exe PID 428 wrote to memory of 316 428 mshta.exe task-8764.exe PID 428 wrote to memory of 316 428 mshta.exe task-8764.exe PID 428 wrote to memory of 316 428 mshta.exe task-8764.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.docm"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\mshta.exemshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\task-8764.exe"C:\Users\Admin\AppData\Local\Temp\task-8764.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\task-8764.exeMD5
f0d563e989c1724797d84173dc310504
SHA19c1bf71dfccd9662e144348af7bf9e512af21c1c
SHA256a6d2541ce15998d2e4d7e819e0b66f32b8b4734985ad4a1e295d1e14ee21ee7f
SHA5120d7c03c4db2e1ec53cd047fadf79a564515713a394a7d0a712529cad82eeb0fd40c54490917fa84b09cf793e0d2da69d7434711438667a4f0e8c2ddeb2bfb78c
-
\Users\Admin\AppData\Local\Temp\task-8764.exeMD5
f0d563e989c1724797d84173dc310504
SHA19c1bf71dfccd9662e144348af7bf9e512af21c1c
SHA256a6d2541ce15998d2e4d7e819e0b66f32b8b4734985ad4a1e295d1e14ee21ee7f
SHA5120d7c03c4db2e1ec53cd047fadf79a564515713a394a7d0a712529cad82eeb0fd40c54490917fa84b09cf793e0d2da69d7434711438667a4f0e8c2ddeb2bfb78c
-
memory/316-68-0x0000000000000000-mapping.dmp
-
memory/428-65-0x0000000000000000-mapping.dmp
-
memory/688-60-0x0000000072651000-0x0000000072654000-memory.dmpFilesize
12KB
-
memory/688-61-0x00000000700D1000-0x00000000700D3000-memory.dmpFilesize
8KB
-
memory/688-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/688-66-0x00000000054C0000-0x00000000054D4000-memory.dmpFilesize
80KB
-
memory/1668-63-0x0000000000000000-mapping.dmp
-
memory/1668-64-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB