Analysis
-
max time kernel
103s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 14:55
Static task
static1
Behavioral task
behavioral1
Sample
order-06.010.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
order-06.010.2021.doc
Resource
win10v20210410
General
-
Target
order-06.010.2021.doc
-
Size
45KB
-
MD5
08bfdea676168b15bcbc8d1dfef36e77
-
SHA1
e07427f180773ef0b2709298c276e70dcac94058
-
SHA256
fa822b09cf153f7e38073e0f6a78795af2ec6620d0fd4a88d0b9226f0a0c3448
-
SHA512
a6bc65a833c4f5f1ba9148d5a324773f6bcaf609ee0a541e42bcbdf41fb826491861cc304809626dfd4c1bca026ace9bc910726a90dba861363e3e40571ab4f6
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3572 3680 explorer.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1956 created 4036 1956 WerFault.exe mshta.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2348 4036 WerFault.exe mshta.exe 1956 4036 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe 2348 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2348 WerFault.exe Token: SeBackupPrivilege 2348 WerFault.exe Token: SeDebugPrivilege 2348 WerFault.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
WINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 3680 wrote to memory of 3572 3680 WINWORD.EXE explorer.exe PID 3680 wrote to memory of 3572 3680 WINWORD.EXE explorer.exe PID 4072 wrote to memory of 4036 4072 explorer.exe mshta.exe PID 4072 wrote to memory of 4036 4072 explorer.exe mshta.exe PID 4072 wrote to memory of 4036 4072 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order-06.010.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" c:\programdata\repoLnk.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\repoLnk.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 13843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 16323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\repoLnk.htaMD5
f490f8cb8e5e5e86da051604e206c425
SHA1e988db88aece30bcc54237e6979a45dfe7583547
SHA25683c9087f95215506ccf40f1566692f4c75326d5a637c01c364dd3068e26cdd26
SHA5126504820da57375e20a5ff840e78d149d997b6591d15b229fedcdce66f351308699a9cacc423e3ae88dc4fd3295bc821d553f215f1d3da8d39b17021451e5f01f
-
memory/3572-179-0x0000000000000000-mapping.dmp
-
memory/3680-114-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-119-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-118-0x00007FF87C090000-0x00007FF87EBB3000-memory.dmpFilesize
43.1MB
-
memory/3680-122-0x00007FF876250000-0x00007FF87733E000-memory.dmpFilesize
16.9MB
-
memory/3680-123-0x00007FF8736A0000-0x00007FF875595000-memory.dmpFilesize
31.0MB
-
memory/4036-181-0x0000000000000000-mapping.dmp