02e62eeb73ac0c0fa55cc203fbee23420a848cf991106eca3f75e8863a0cb4e5

General

Target

7abe6d89_by_Libranalysis.doc
Size

68KB
MD5

7abe6d890f58d5a0b421edb2d4eed932
SHA1

a9c31dbfd581bcbb7236c828c6cc9dac13dbc6be
SHA256

02e62eeb73ac0c0fa55cc203fbee23420a848cf991106eca3f75e8863a0cb4e5
SHA512

488a7397cf9644c42a8b5a831f4a0e3a2ad99fc4cb7fe4d617ee8bd4085459f54a34be868c752c57375bba10e6dfa9ac5f7424aa0bb233943c1cb48f5d95bebc

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2272	3680	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

mshta.exe

flow pid process

25 2272 mshta.exe
27 2272 mshta.exe
28 2272 mshta.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

task-2225.exe

pid process

3952 task-2225.exe

flow	pid	process
25	2272	mshta.exe
27	2272	mshta.exe
28	2272	mshta.exe

pid	process
3952	task-2225.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
File opened (read-only)	\??\B:	WINWORD.EXE
File opened (read-only)	\??\J:	WINWORD.EXE
File opened (read-only)	\??\K:	WINWORD.EXE
File opened (read-only)	\??\M:	WINWORD.EXE
File opened (read-only)	\??\N:	WINWORD.EXE
File opened (read-only)	\??\X:	WINWORD.EXE
File opened (read-only)	\??\E:	WINWORD.EXE
File opened (read-only)	\??\H:	WINWORD.EXE
File opened (read-only)	\??\I:	WINWORD.EXE
File opened (read-only)	\??\U:	WINWORD.EXE
File opened (read-only)	\??\V:	WINWORD.EXE
File opened (read-only)	\??\W:	WINWORD.EXE
File opened (read-only)	\??\T:	WINWORD.EXE
File opened (read-only)	\??\A:	WINWORD.EXE
File opened (read-only)	\??\F:	WINWORD.EXE
File opened (read-only)	\??\G:	WINWORD.EXE
File opened (read-only)	\??\O:	WINWORD.EXE
File opened (read-only)	\??\Q:	WINWORD.EXE
File opened (read-only)	\??\R:	WINWORD.EXE
File opened (read-only)	\??\S:	WINWORD.EXE
File opened (read-only)	\??\Y:	WINWORD.EXE
File opened (read-only)	\??\L:	WINWORD.EXE
File opened (read-only)	\??\P:	WINWORD.EXE
File opened (read-only)	\??\Z:	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3680 WINWORD.EXE
3680 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeShutdownPrivilege 3680 WINWORD.EXE
Token: SeCreatePagefilePrivilege 3680 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

3680 WINWORD.EXE
3680 WINWORD.EXE

description	pid	process
Token: SeShutdownPrivilege	3680	WINWORD.EXE
Token: SeCreatePagefilePrivilege	3680	WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE
3680	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXEmshta.exe

description	pid	process	target process
PID 3680 wrote to memory of 1364	3680	WINWORD.EXE	splwow64.exe
PID 3680 wrote to memory of 1364	3680	WINWORD.EXE	splwow64.exe
PID 3680 wrote to memory of 2272	3680	WINWORD.EXE	mshta.exe
PID 3680 wrote to memory of 2272	3680	WINWORD.EXE	mshta.exe
PID 2272 wrote to memory of 3952	2272	mshta.exe	task-2225.exe
PID 2272 wrote to memory of 3952	2272	mshta.exe	task-2225.exe
PID 2272 wrote to memory of 3952	2272	mshta.exe	task-2225.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7abe6d89_by_Libranalysis.doc" /o ""
1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1364

C:\Windows\SYSTEM32\mshta.exe
mshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\task-2225.exe
"C:\Users\Admin\AppData\Local\Temp\task-2225.exe"
3⤵
- Executes dropped EXE
PID:3952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\task-2225.exe
MD5
0733d419a18124833b92af75d65d42a4

SHA1
2d69faba27d0f57c22642efc3bb4a7388a7270e5

SHA256
c9b807b28e1fee284104356f934b030a5739844b910a9441a5b104df6ab24c4c

SHA512
d58ebbc8914447a35a1d3340e8c67d5c858010ff4a66a66c3dac654b6f9af7779945561b64ccd8b2d3250404a68cbeffebf4e70904f8e91f893a35435cb49b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\task-2225.exe
MD5
0733d419a18124833b92af75d65d42a4

SHA1
2d69faba27d0f57c22642efc3bb4a7388a7270e5

SHA256
c9b807b28e1fee284104356f934b030a5739844b910a9441a5b104df6ab24c4c

SHA512
d58ebbc8914447a35a1d3340e8c67d5c858010ff4a66a66c3dac654b6f9af7779945561b64ccd8b2d3250404a68cbeffebf4e70904f8e91f893a35435cb49b05

Download Submit
memory/1364-179-0x0000000000000000-mapping.dmp

Download
memory/2272-180-0x0000000000000000-mapping.dmp

Download
memory/3680-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-182-0x000002EB6C060000-0x000002EB6C070000-memory.dmp

Filesize
64KB

Download
memory/3680-122-0x00007FF876250000-0x00007FF87733E000-memory.dmp

Filesize
16.9MB

Download
memory/3680-123-0x00007FF8736A0000-0x00007FF875595000-memory.dmp

Filesize
31.0MB

Download
memory/3680-114-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-181-0x000002EB6C050000-0x000002EB6C060000-memory.dmp

Filesize
64KB

Download
memory/3680-119-0x00007FF87B2D0000-0x00007FF87DDF3000-memory.dmp

Filesize
43.1MB

Download
memory/3680-183-0x000002EB6C050000-0x000002EB6C060000-memory.dmp

Filesize
64KB

Download
memory/3680-184-0x000002EB6C050000-0x000002EB6C060000-memory.dmp

Filesize
64KB

Download
memory/3680-185-0x000002EB6C050000-0x000002EB6C060000-memory.dmp

Filesize
64KB

Download
memory/3680-186-0x000002EB6C050000-0x000002EB6C060000-memory.dmp

Filesize
64KB

Download
memory/3680-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3680-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmp

Filesize
64KB

Download
memory/3952-187-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads