7ddb285312948e5156adf11beb10a5970ac6a02382c7a11ce3217c70358e596f

General

Target

input 07.21.2021.doc
Size

72KB
MD5

2405219be1d899e9d361e0f4458cff83
SHA1

7dc5167b155ec70d09bba50290533fee5b7649ce
SHA256

7ddb285312948e5156adf11beb10a5970ac6a02382c7a11ce3217c70358e596f
SHA512

079879ded584395310ed36d6c2e1070875bdb42a316b1cd2b944d590e029a3b14f64ad18c7622a60fcaf9ef0ce13a7539f87bbd6472a6611867fd4a3d39102bb

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2704	500	cmd.exe	WINWORD.EXE

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3860 created 2776 3860 WerFault.exe mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1956 2776 WerFault.exe mshta.exe
3860 2776 WerFault.exe mshta.exe

description	pid	process	target process
PID 3860 created 2776	3860	WerFault.exe	mshta.exe

pid	pid_target	process	target process
1956	2776	WerFault.exe	mshta.exe
3860	2776	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

500 WINWORD.EXE
500 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1956 WerFault.exe
Token: SeBackupPrivilege 1956 WerFault.exe
Token: SeDebugPrivilege 1956 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1956	WerFault.exe
Token: SeBackupPrivilege	1956	WerFault.exe
Token: SeDebugPrivilege	1956	WerFault.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE
500	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 500 wrote to memory of 2704	500	WINWORD.EXE	cmd.exe
PID 500 wrote to memory of 2704	500	WINWORD.EXE	cmd.exe
PID 2704 wrote to memory of 2776	2704	cmd.exe	mshta.exe
PID 2704 wrote to memory of 2776	2704	cmd.exe	mshta.exe
PID 2704 wrote to memory of 2776	2704	cmd.exe	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\input 07.21.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c c:\programdata\sds.hta
  2⤵
  - Process spawned unexpected child process
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sds.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1376
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1648
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\sds.hta

MD5
c5f48abc68324cd059e74b35c44b64c7

SHA1
e68b086934eb0d4576ac3711062efba4236df436

SHA256
9a3c69a9e5f02c1e3022586c5ffe3e9dca7224f4c5107ce1f758eae62f747576

SHA512
271dedd705ed5a64cda497d0b86cd1509f34911602aac65cbc8a5120ef37efccc2ec8d45538cec29e1bbb5aa5fb5d76aa0a3502e00208e0c4067d4dd9b465d21

Download Submit
memory/500-117-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-345-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-114-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-118-0x00007FFDFD4C0000-0x00007FFDFFFE3000-memory.dmp

Filesize
43.1MB

Download
memory/500-119-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-122-0x00007FFDF8120000-0x00007FFDF920E000-memory.dmp

Filesize
16.9MB

Download
memory/500-123-0x00007FFDF5650000-0x00007FFDF7545000-memory.dmp

Filesize
31.0MB

Download
memory/500-348-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-115-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-347-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-116-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/500-346-0x00007FFDDC160000-0x00007FFDDC170000-memory.dmp

Filesize
64KB

Download
memory/2704-199-0x0000000000000000-mapping.dmp

Download
memory/2776-235-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads