Analysis

  • max time kernel
    119s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 08:58

General

  • Target

    order_07.21.doc

  • Size

    87KB

  • MD5

    401b19c454075d52bd832725f3c22cfe

  • SHA1

    088f76c184a0cba673abc41bd5582e4e21672fdd

  • SHA256

    6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3

  • SHA512

    b83ddf0a5dc6174591e0c07a1b87f5ffb5a1efa731913707829195415bed70a5dff43d9669e948e509fd3e77d15986391e1e01b9344c2694dd1b0fba5b87f894

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order_07.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\programdata\captionEx.hta
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\captionEx.hta"
        3⤵
        • Modifies Internet Explorer settings
        PID:1424
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:744

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\captionEx.hta
      MD5

      111964af02201e77ad219f7562bf19b2

      SHA1

      9a48e4281a89383ff5af45ee2f2bf710704e5152

      SHA256

      fb2a3eb78ef18021bd6da3398fb8d935fd3884f418dda72fc123903501b5b503

      SHA512

      141c2dac7594678bc7da7de7e9dfc4e90a6a6b4e5ee5985b03f37e97827b59e0bbb6509d88ab6a3cf129de2eb1660b90fb953f2abce441f5d37154d2f3c34784

    • memory/744-67-0x0000000000000000-mapping.dmp
    • memory/744-68-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp
      Filesize

      8KB

    • memory/1424-66-0x0000000000000000-mapping.dmp
    • memory/1664-59-0x00000000726F1000-0x00000000726F4000-memory.dmp
      Filesize

      12KB

    • memory/1664-60-0x0000000070171000-0x0000000070173000-memory.dmp
      Filesize

      8KB

    • memory/1664-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1664-62-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

    • memory/1664-69-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1892-63-0x0000000000000000-mapping.dmp