Analysis
-
max time kernel
111s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-06-2021 23:44
Static task
static1
Behavioral task
behavioral1
Sample
docs,06.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
docs,06.21.doc
Resource
win10v20210410
General
-
Target
docs,06.21.doc
-
Size
50KB
-
MD5
a75fa282ba05937f43c4425e548f1d5c
-
SHA1
565ca43482c76d02eb4f5e55deb2af53dfa3b8db
-
SHA256
266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602
-
SHA512
6343c053c5cca9f6e4b9e4b157c19aba9c47cc1722e4b8a158009cce7c7a8cb88dc3cbb95581888c76fd708c1d8c212dca1a5dc9a393594957fb7f6602c119f5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2440 772 cmd.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3476 created 188 3476 WerFault.exe mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3644 188 WerFault.exe mshta.exe 3476 188 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 772 WINWORD.EXE 772 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe 3644 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3644 WerFault.exe Token: SeBackupPrivilege 3644 WerFault.exe Token: SeDebugPrivilege 3644 WerFault.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEpid process 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE 772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 772 wrote to memory of 2440 772 WINWORD.EXE cmd.exe PID 772 wrote to memory of 2440 772 WINWORD.EXE cmd.exe PID 2440 wrote to memory of 188 2440 cmd.exe mshta.exe PID 2440 wrote to memory of 188 2440 cmd.exe mshta.exe PID 2440 wrote to memory of 188 2440 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs,06.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\\users\\public\\buttListboxSngl.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\buttListboxSngl.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 13324⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 188 -s 16324⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\buttListboxSngl.htaMD5
aa68b2d92b79feae09dcb76d34ac9fb7
SHA18ead6aa56c4426d4fe5f7d415d927379a116c03d
SHA2567a8ba83948952fb9fdc6237adf609e8e3f1caf2dbce6ca6e6b5ae4aca0d04a20
SHA512a09cf9694aee32013a3ee6718d30168f6ee2fb407a7396fece6388009de9608391725d4e590f1f659fcfcd7830cb644310cae4463127772fa5d00ed8f7fbc793
-
memory/188-181-0x0000000000000000-mapping.dmp
-
memory/772-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/772-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/772-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/772-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/772-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/772-118-0x00007FF8468C0000-0x00007FF8493E3000-memory.dmpFilesize
43.1MB
-
memory/772-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmpFilesize
16.9MB
-
memory/772-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmpFilesize
31.0MB
-
memory/2440-179-0x0000000000000000-mapping.dmp