Analysis
-
max time kernel
110s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-06-2021 14:53
Static task
static1
Behavioral task
behavioral1
Sample
enjoin-06.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
enjoin-06.21.doc
Resource
win10v20210408
General
-
Target
enjoin-06.21.doc
-
Size
49KB
-
MD5
68f3731796cce6ce450d1b9e05093b2a
-
SHA1
9ccac54605eb3b0aa365cb359f6c71cb0a912fb8
-
SHA256
b794fe749ab133b1a4197cd713c0d8e70723058e5c2d3df57b553475c12e42a8
-
SHA512
ebd6e06b28ccb3a03d463da8d343a79ba31fc0b30424be972a520f5352561ddc4121f0a81744c30b80fb2c18660078c0ea72f0b22303ce2b7c68614c0124592b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1160 640 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1920 3136 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1920 WerFault.exe Token: SeBackupPrivilege 1920 WerFault.exe Token: SeDebugPrivilege 1920 WerFault.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 640 wrote to memory of 1160 640 WINWORD.EXE explorer.exe PID 640 wrote to memory of 1160 640 WINWORD.EXE explorer.exe PID 4084 wrote to memory of 3136 4084 explorer.exe mshta.exe PID 4084 wrote to memory of 3136 4084 explorer.exe mshta.exe PID 4084 wrote to memory of 3136 4084 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\enjoin-06.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe c:\programdata\globalCounter.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\globalCounter.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 13283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\globalCounter.htaMD5
a10cc5c493b3ebc1f075424e146e92f0
SHA11ccaa12aae57ee57c36db36d5eb315373bcadb6c
SHA2563b5b0403702eb792bae7f736afdfb7474d83a1ee471c334e9988926d3cf420ae
SHA512148c03979dedb4b24ca88dad4b0d4d7ea6409febd34921044fa37be016632bb0267c737ef2b0d3da317010f0a868ced277ec632868cd8810fdc80646260adcdd
-
memory/640-114-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-115-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-116-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-117-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-119-0x00007FFAC4B10000-0x00007FFAC4B20000-memory.dmpFilesize
64KB
-
memory/640-118-0x00007FFAE5CA0000-0x00007FFAE87C3000-memory.dmpFilesize
43.1MB
-
memory/640-122-0x00007FFAE06B0000-0x00007FFAE179E000-memory.dmpFilesize
16.9MB
-
memory/640-123-0x00007FFADE7B0000-0x00007FFAE06A5000-memory.dmpFilesize
31.0MB
-
memory/1160-143-0x0000000000000000-mapping.dmp
-
memory/3136-145-0x0000000000000000-mapping.dmp