Analysis
-
max time kernel
242s -
max time network
251s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-06-2021 13:45
Static task
static1
Behavioral task
behavioral1
Sample
legal agreement-06.28.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
legal agreement-06.28.2021.doc
Resource
win10v20210408
General
-
Target
legal agreement-06.28.2021.doc
-
Size
50KB
-
MD5
ffad9afed8f30d780cac0808da1c5d3f
-
SHA1
b838575fe38390f411e85505607023b6764101a1
-
SHA256
133eaec108dcdf485a65616e0b26d8ffe1781e795b49bef6021c51679bf92c7a
-
SHA512
91823ef5ca872eb7dd93b5419de870aaa4e44086b5f0adbb277d2c08d40536146a71378cce8600af82880d5771d6311ce0b9e227795270ac1f83a1c5352b30e0
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3916 656 cmd.exe WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1868 396 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 656 WINWORD.EXE 656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe 1868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1868 WerFault.exe Token: SeBackupPrivilege 1868 WerFault.exe Token: SeDebugPrivilege 1868 WerFault.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
WINWORD.EXEpid process 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE 656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 656 wrote to memory of 3916 656 WINWORD.EXE cmd.exe PID 656 wrote to memory of 3916 656 WINWORD.EXE cmd.exe PID 3916 wrote to memory of 396 3916 cmd.exe mshta.exe PID 3916 wrote to memory of 396 3916 cmd.exe mshta.exe PID 3916 wrote to memory of 396 3916 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement-06.28.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\\users\\public\\doubleBorderInt.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\doubleBorderInt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 13204⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\doubleBorderInt.htaMD5
a27bc3fd105fca9661e54e0d9b38ebe0
SHA123dabd40d9a90ead8bfbc1b1b56b7ab712460a7d
SHA256b3be02abef98fd6bde2752217b996cb0ab6ea534be8aadb9440474e1088a90af
SHA512481068bef5774b26198b3799cfc2f4b0b6d763353ad118e7eb59584b190dfda75bca619f9a38ba611e311b2e4589cd78215f8044c24b756b459e337b6fc4b4ba
-
memory/396-181-0x0000000000000000-mapping.dmp
-
memory/656-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/656-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/656-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/656-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/656-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/656-118-0x00007FFA7A870000-0x00007FFA7D393000-memory.dmpFilesize
43.1MB
-
memory/656-122-0x00007FFA74700000-0x00007FFA757EE000-memory.dmpFilesize
16.9MB
-
memory/656-123-0x00007FFA72800000-0x00007FFA746F5000-memory.dmpFilesize
31.0MB
-
memory/3916-179-0x0000000000000000-mapping.dmp