173e1ba2a7c2995c59bd1d79c8c246dc5f75835552574c87bd9bd8129977de4d

General

Target

command,07.21.doc
Size

69KB
MD5

1b265cbdfb47ef2675bbc19d7542aec3
SHA1

f441fde137975ecfa73c6b9d80423872443b4247
SHA256

173e1ba2a7c2995c59bd1d79c8c246dc5f75835552574c87bd9bd8129977de4d
SHA512

62232fd788671d69bcdb725a52dec70caab92f790a7ae6b2f7964dd6ba5b6dd28526d0df11c428ed0bc1a910cecdac26445332e9016bbf5aa4c594e8779af255

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2000	1080	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 1536 mshta.exe
Downloads MZ/PE file

flow	pid	process
5	1536	mshta.exe

Tries to connect to .bazar domain 36 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
39	whitestorm9p.bazar
47	yellowdownpour81.bazar
50	yellowdownpour81.bazar
57	yellowdownpour81.bazar
35	whitestorm9p.bazar
43	whitestorm9p.bazar
22	greencloud46a.bazar
27	greencloud46a.bazar
31	greencloud46a.bazar
32	greencloud46a.bazar
56	yellowdownpour81.bazar
26	greencloud46a.bazar
48	yellowdownpour81.bazar
51	yellowdownpour81.bazar
53	yellowdownpour81.bazar
40	whitestorm9p.bazar
45	whitestorm9p.bazar
49	yellowdownpour81.bazar
24	greencloud46a.bazar
28	greencloud46a.bazar
33	greencloud46a.bazar
38	whitestorm9p.bazar
42	whitestorm9p.bazar
44	whitestorm9p.bazar
54	yellowdownpour81.bazar
55	yellowdownpour81.bazar
25	greencloud46a.bazar
46	yellowdownpour81.bazar
23	greencloud46a.bazar
29	greencloud46a.bazar
34	whitestorm9p.bazar
41	whitestorm9p.bazar
30	greencloud46a.bazar
36	whitestorm9p.bazar
37	whitestorm9p.bazar
52	yellowdownpour81.bazar

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1732 regsvr32.exe
1692 regsvr32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 15 https://api.opennicproject.org/geoip/?bare&ipv=4
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

pid	process
1732	regsvr32.exe
1692	regsvr32.exe

description	flow	ioc
HTTP URL	15	https://api.opennicproject.org/geoip/?bare&ipv=4

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1080 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1080 WINWORD.EXE
1080 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1080 WINWORD.EXE
1080 WINWORD.EXE

pid	process
1080	WINWORD.EXE

pid	process
1080	WINWORD.EXE
1080	WINWORD.EXE

pid	process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exeregsvr32.exe

description	pid	process	target process
PID 1080 wrote to memory of 2000	1080	WINWORD.EXE	cmd.exe
PID 1080 wrote to memory of 2000	1080	WINWORD.EXE	cmd.exe
PID 1080 wrote to memory of 2000	1080	WINWORD.EXE	cmd.exe
PID 1080 wrote to memory of 2000	1080	WINWORD.EXE	cmd.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	mshta.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	mshta.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	mshta.exe
PID 2000 wrote to memory of 1536	2000	cmd.exe	mshta.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1536 wrote to memory of 1732	1536	mshta.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1732 wrote to memory of 1692	1732	regsvr32.exe	regsvr32.exe
PID 1080 wrote to memory of 300	1080	WINWORD.EXE	splwow64.exe
PID 1080 wrote to memory of 300	1080	WINWORD.EXE	splwow64.exe
PID 1080 wrote to memory of 300	1080	WINWORD.EXE	splwow64.exe
PID 1080 wrote to memory of 300	1080	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\command,07.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\programdata\sds.hta
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sds.hta"
    3⤵
    - Blocklisted process makes network request
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" c:\users\public\girlYou.jpg
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\system32\regsvr32.exe
        
        c:\users\public\girlYou.jpg
        5⤵
        Loads dropped DLL
        
        PID:1692
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\sds.hta

MD5
6cf8aee8344612d0abc243d87c729b7a

SHA1
eebe12b6ae78a08aa289a021f78f28a66275408e

SHA256
fda3898a2ec3a99f67b26503ccda8eab6fde313df3aa3a9f6ce4ffb62a2ff49b

SHA512
e086c23487a4ee5084b6b111732263d7d0aaf9e8c61400eae5b956160d60e5bac723aec5469f14933db7d9fb630e56eaa48ba31fc0c0c07d033e9dffaaf45827

Download Submit
\??\c:\users\public\girlYou.jpg

MD5
9ea54059855e1e754c09dca1e247966f

SHA1
9178c5ecb80c26e5744f5199f7a184570b21f121

SHA256
4317d61bba715029afa826af53d2e6f75237d0a2dc7069092c310719aa1394c0

SHA512
6274a1fde335716b0e0ebd13c51c478d6688ea9d42b2b83c5f2556f412b52c0717cd45ec3ef9989b58e77722b52e37f36d9da263f817c0527276e4b6494bbe67

Download Submit
\Users\Public\girlYou.jpg

MD5
9ea54059855e1e754c09dca1e247966f

SHA1
9178c5ecb80c26e5744f5199f7a184570b21f121

SHA256
4317d61bba715029afa826af53d2e6f75237d0a2dc7069092c310719aa1394c0

SHA512
6274a1fde335716b0e0ebd13c51c478d6688ea9d42b2b83c5f2556f412b52c0717cd45ec3ef9989b58e77722b52e37f36d9da263f817c0527276e4b6494bbe67

Download Submit
\Users\Public\girlYou.jpg

MD5
9ea54059855e1e754c09dca1e247966f

SHA1
9178c5ecb80c26e5744f5199f7a184570b21f121

SHA256
4317d61bba715029afa826af53d2e6f75237d0a2dc7069092c310719aa1394c0

SHA512
6274a1fde335716b0e0ebd13c51c478d6688ea9d42b2b83c5f2556f412b52c0717cd45ec3ef9989b58e77722b52e37f36d9da263f817c0527276e4b6494bbe67

Download Submit
memory/300-76-0x0000000000000000-mapping.dmp

Download
memory/1080-63-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1080-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1080-61-0x00000000707D1000-0x00000000707D3000-memory.dmp

Filesize
8KB

Download
memory/1080-60-0x0000000072D51000-0x0000000072D54000-memory.dmp

Filesize
12KB

Download
memory/1080-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1536-67-0x0000000000000000-mapping.dmp

Download
memory/1692-72-0x0000000000000000-mapping.dmp

Download
memory/1692-73-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1692-75-0x0000000001EB0000-0x000000000215A000-memory.dmp

Filesize
2.7MB

Download
memory/1732-68-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads