Analysis
-
max time kernel
268s -
max time network
271s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-06-2021 14:09
Static task
static1
Behavioral task
behavioral1
Sample
ordain.06.21.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ordain.06.21.2021.doc
Resource
win10v20210408
General
-
Target
ordain.06.21.2021.doc
-
Size
49KB
-
MD5
13731c9cb360c300137bcb1779267f41
-
SHA1
cf816dc25baf65c92550452e3abe7f871af7f55a
-
SHA256
89816b893e66ff5eb9a42c14a2223e451e178c944438365ccecc9a8d1d64e6e8
-
SHA512
819e65feef603801ef28fd17a986085df277e5cb36c701a2471c00a4714ce51e376f4644ff9c264222bd35ec7192d4f62675673570a8633e330d337b921c1756
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1772 3628 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2136 2504 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3628 WINWORD.EXE 3628 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe 2136 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2136 WerFault.exe Token: SeBackupPrivilege 2136 WerFault.exe Token: SeDebugPrivilege 2136 WerFault.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
WINWORD.EXEpid process 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE 3628 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 3628 wrote to memory of 1772 3628 WINWORD.EXE explorer.exe PID 3628 wrote to memory of 1772 3628 WINWORD.EXE explorer.exe PID 3168 wrote to memory of 2504 3168 explorer.exe mshta.exe PID 3168 wrote to memory of 2504 3168 explorer.exe mshta.exe PID 3168 wrote to memory of 2504 3168 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordain.06.21.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer c:\programdata\memoryCurrencyTable.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\memoryCurrencyTable.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 13203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\memoryCurrencyTable.htaMD5
c13c6a2a4422d7f7122277317c172ead
SHA1ccc044e0e5771e4962bcee4339ac35571644f886
SHA2565deccd97c3d07d1a7243b42c5a841fe1fe23f9295dd5e19ba81f33867d0a848c
SHA512e4595df0a2ae52cf41c7655956371357b5174f4afba40c9f07e0e9196062061653eb98d7dca34ce28affeca18addf13d55affcec7bde9599979b91b28d501d3e
-
memory/1772-179-0x0000000000000000-mapping.dmp
-
memory/2504-181-0x0000000000000000-mapping.dmp
-
memory/3628-114-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/3628-115-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/3628-116-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/3628-117-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/3628-119-0x00007FFA892C0000-0x00007FFA892D0000-memory.dmpFilesize
64KB
-
memory/3628-118-0x00007FFAAA370000-0x00007FFAACE93000-memory.dmpFilesize
43.1MB
-
memory/3628-122-0x00007FFAA4990000-0x00007FFAA5A7E000-memory.dmpFilesize
16.9MB
-
memory/3628-123-0x00007FFAA2A90000-0x00007FFAA4985000-memory.dmpFilesize
31.0MB