799c92dbf9afd51ce4760192ef65c42432f006e0fbab34971019bfe53926b879

General

Target

c33304d6_by_Libranalysis.doc
Size

65KB
MD5

c33304d6de97b0263aa4277716ee9730
SHA1

52bd645c127469b4c18486deb270151352a19296
SHA256

799c92dbf9afd51ce4760192ef65c42432f006e0fbab34971019bfe53926b879
SHA512

5276eb3c5b5274f389b5c679cc7b466a9d35c7d50b8754dc75a8af9e0c88814e27aac125918885475692915fee47ee3264e57663afc710448a3633a47573016b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

860 1036 WerFault.exe mshta.exe

pid	pid_target	process	target process
860	1036	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

752 WINWORD.EXE
752 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe
860	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 860 WerFault.exe
Token: SeBackupPrivilege 860 WerFault.exe
Token: SeDebugPrivilege 860 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	860	WerFault.exe
Token: SeBackupPrivilege	860	WerFault.exe
Token: SeDebugPrivilege	860	WerFault.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXE

pid	process
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE
752	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c33304d6_by_Libranalysis.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:3868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3956

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\arrayVbLoad.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1328
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\arrayVbLoad.hta
MD5
2a9b0b8b7891d97ce0c0a137d9288ec0

SHA1
7a107f51d52b65137ac39798a2b47b08e46b5f4d

SHA256
fd34c7544efbf5b06f3d1e7abd93df952ba518a86aa91c9d4938d10242fdc6c0

SHA512
8e216c38283463769695d7ad53aa634df84a2210603b3aca535e701e563115b9da2ab5a89773cf5c0ed00a6f16acf92fe33d326e5127c2cd081c738204abc8a0

Download Submit
memory/752-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

Filesize
64KB

Download
memory/752-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

Filesize
64KB

Download
memory/752-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

Filesize
64KB

Download
memory/752-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

Filesize
64KB

Download
memory/752-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

Filesize
64KB

Download
memory/752-118-0x00007FFA7A350000-0x00007FFA7CE73000-memory.dmp

Filesize
43.1MB

Download
memory/752-122-0x00007FFA74700000-0x00007FFA757EE000-memory.dmp

Filesize
16.9MB

Download
memory/752-123-0x00007FFA72800000-0x00007FFA746F5000-memory.dmp

Filesize
31.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads