Analysis
-
max time kernel
119s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 08:58
Static task
static1
Behavioral task
behavioral1
Sample
order_07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
order_07.21.doc
Resource
win10v20210410
General
-
Target
order_07.21.doc
-
Size
87KB
-
MD5
401b19c454075d52bd832725f3c22cfe
-
SHA1
088f76c184a0cba673abc41bd5582e4e21672fdd
-
SHA256
6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3
-
SHA512
b83ddf0a5dc6174591e0c07a1b87f5ffb5a1efa731913707829195415bed70a5dff43d9669e948e509fd3e77d15986391e1e01b9344c2694dd1b0fba5b87f894
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1892 1664 cmd.exe WINWORD.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1664 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1664 WINWORD.EXE 1664 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 1664 wrote to memory of 1892 1664 WINWORD.EXE cmd.exe PID 1664 wrote to memory of 1892 1664 WINWORD.EXE cmd.exe PID 1664 wrote to memory of 1892 1664 WINWORD.EXE cmd.exe PID 1664 wrote to memory of 1892 1664 WINWORD.EXE cmd.exe PID 1892 wrote to memory of 1424 1892 cmd.exe mshta.exe PID 1892 wrote to memory of 1424 1892 cmd.exe mshta.exe PID 1892 wrote to memory of 1424 1892 cmd.exe mshta.exe PID 1892 wrote to memory of 1424 1892 cmd.exe mshta.exe PID 1664 wrote to memory of 744 1664 WINWORD.EXE splwow64.exe PID 1664 wrote to memory of 744 1664 WINWORD.EXE splwow64.exe PID 1664 wrote to memory of 744 1664 WINWORD.EXE splwow64.exe PID 1664 wrote to memory of 744 1664 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order_07.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\captionEx.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\captionEx.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\captionEx.htaMD5
111964af02201e77ad219f7562bf19b2
SHA19a48e4281a89383ff5af45ee2f2bf710704e5152
SHA256fb2a3eb78ef18021bd6da3398fb8d935fd3884f418dda72fc123903501b5b503
SHA512141c2dac7594678bc7da7de7e9dfc4e90a6a6b4e5ee5985b03f37e97827b59e0bbb6509d88ab6a3cf129de2eb1660b90fb953f2abce441f5d37154d2f3c34784
-
memory/744-67-0x0000000000000000-mapping.dmp
-
memory/744-68-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/1424-66-0x0000000000000000-mapping.dmp
-
memory/1664-59-0x00000000726F1000-0x00000000726F4000-memory.dmpFilesize
12KB
-
memory/1664-60-0x0000000070171000-0x0000000070173000-memory.dmpFilesize
8KB
-
memory/1664-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1664-62-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1664-69-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1892-63-0x0000000000000000-mapping.dmp