Analysis

  • max time kernel
    111s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-06-2021 23:44

General

  • Target

    docs,06.21.doc

  • Size

    50KB

  • MD5

    a75fa282ba05937f43c4425e548f1d5c

  • SHA1

    565ca43482c76d02eb4f5e55deb2af53dfa3b8db

  • SHA256

    266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602

  • SHA512

    6343c053c5cca9f6e4b9e4b157c19aba9c47cc1722e4b8a158009cce7c7a8cb88dc3cbb95581888c76fd708c1d8c212dca1a5dc9a393594957fb7f6602c119f5

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs,06.21.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\\users\\public\\buttListboxSngl.hta
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\buttListboxSngl.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:188
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 1332
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3644
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 1632
            4⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            PID:3476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\users\public\buttListboxSngl.hta
      MD5

      aa68b2d92b79feae09dcb76d34ac9fb7

      SHA1

      8ead6aa56c4426d4fe5f7d415d927379a116c03d

      SHA256

      7a8ba83948952fb9fdc6237adf609e8e3f1caf2dbce6ca6e6b5ae4aca0d04a20

      SHA512

      a09cf9694aee32013a3ee6718d30168f6ee2fb407a7396fece6388009de9608391725d4e590f1f659fcfcd7830cb644310cae4463127772fa5d00ed8f7fbc793

    • memory/188-181-0x0000000000000000-mapping.dmp
    • memory/772-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

    • memory/772-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

    • memory/772-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

    • memory/772-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

    • memory/772-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

    • memory/772-118-0x00007FF8468C0000-0x00007FF8493E3000-memory.dmp
      Filesize

      43.1MB

    • memory/772-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmp
      Filesize

      16.9MB

    • memory/772-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmp
      Filesize

      31.0MB

    • memory/2440-179-0x0000000000000000-mapping.dmp