Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-05-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
c33304d6_by_Libranalysis.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c33304d6_by_Libranalysis.doc
Resource
win10v20210408
General
-
Target
c33304d6_by_Libranalysis.doc
-
Size
65KB
-
MD5
c33304d6de97b0263aa4277716ee9730
-
SHA1
52bd645c127469b4c18486deb270151352a19296
-
SHA256
799c92dbf9afd51ce4760192ef65c42432f006e0fbab34971019bfe53926b879
-
SHA512
5276eb3c5b5274f389b5c679cc7b466a9d35c7d50b8754dc75a8af9e0c88814e27aac125918885475692915fee47ee3264e57663afc710448a3633a47573016b
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 860 1036 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 752 WINWORD.EXE 752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe 860 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 860 WerFault.exe Token: SeBackupPrivilege 860 WerFault.exe Token: SeDebugPrivilege 860 WerFault.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE 752 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c33304d6_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:752
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding1⤵PID:3868
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:3956
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\arrayVbLoad.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:1036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 13282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\arrayVbLoad.htaMD5
2a9b0b8b7891d97ce0c0a137d9288ec0
SHA17a107f51d52b65137ac39798a2b47b08e46b5f4d
SHA256fd34c7544efbf5b06f3d1e7abd93df952ba518a86aa91c9d4938d10242fdc6c0
SHA5128e216c38283463769695d7ad53aa634df84a2210603b3aca535e701e563115b9da2ab5a89773cf5c0ed00a6f16acf92fe33d326e5127c2cd081c738204abc8a0
-
memory/752-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/752-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/752-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/752-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/752-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/752-118-0x00007FFA7A350000-0x00007FFA7CE73000-memory.dmpFilesize
43.1MB
-
memory/752-122-0x00007FFA74700000-0x00007FFA757EE000-memory.dmpFilesize
16.9MB
-
memory/752-123-0x00007FFA72800000-0x00007FFA746F5000-memory.dmpFilesize
31.0MB