Overview

overview

10

Static

static

8

legal agre...21.doc

windows7_x64

10

legal agre...21.doc

windows10_x64

10

Analysis

  • max time kernel
    242s
  • max time network
    251s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-06-2021 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legal agreement-06.28.2021.doc

  • Size

    50KB

  • MD5

    ffad9afed8f30d780cac0808da1c5d3f

  • SHA1

    b838575fe38390f411e85505607023b6764101a1

  • SHA256

    133eaec108dcdf485a65616e0b26d8ffe1781e795b49bef6021c51679bf92c7a

  • SHA512

    91823ef5ca872eb7dd93b5419de870aaa4e44086b5f0adbb277d2c08d40536146a71378cce8600af82880d5771d6311ce0b9e227795270ac1f83a1c5352b30e0

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement-06.28.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\\users\\public\\doubleBorderInt.hta
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\doubleBorderInt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:396
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1320
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\users\public\doubleBorderInt.hta
      MD5

      a27bc3fd105fca9661e54e0d9b38ebe0

      SHA1

      23dabd40d9a90ead8bfbc1b1b56b7ab712460a7d

      SHA256

      b3be02abef98fd6bde2752217b996cb0ab6ea534be8aadb9440474e1088a90af

      SHA512

      481068bef5774b26198b3799cfc2f4b0b6d763353ad118e7eb59584b190dfda75bca619f9a38ba611e311b2e4589cd78215f8044c24b756b459e337b6fc4b4ba

      Download Submit
    • memory/396-181-0x0000000000000000-mapping.dmp
      Download
    • memory/656-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/656-118-0x00007FFA7A870000-0x00007FFA7D393000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/656-122-0x00007FFA74700000-0x00007FFA757EE000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/656-123-0x00007FFA72800000-0x00007FFA746F5000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/3916-179-0x0000000000000000-mapping.dmp
      Download