Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 08:58
Static task
static1
Behavioral task
behavioral1
Sample
order_07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
order_07.21.doc
Resource
win10v20210410
General
-
Target
order_07.21.doc
-
Size
87KB
-
MD5
401b19c454075d52bd832725f3c22cfe
-
SHA1
088f76c184a0cba673abc41bd5582e4e21672fdd
-
SHA256
6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3
-
SHA512
b83ddf0a5dc6174591e0c07a1b87f5ffb5a1efa731913707829195415bed70a5dff43d9669e948e509fd3e77d15986391e1e01b9344c2694dd1b0fba5b87f894
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1468 4056 cmd.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2252 created 3736 2252 WerFault.exe mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3144 3736 WerFault.exe mshta.exe 2252 3736 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe 3144 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3144 WerFault.exe Token: SeBackupPrivilege 3144 WerFault.exe Token: SeDebugPrivilege 3144 WerFault.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 4056 wrote to memory of 1468 4056 WINWORD.EXE cmd.exe PID 4056 wrote to memory of 1468 4056 WINWORD.EXE cmd.exe PID 1468 wrote to memory of 3736 1468 cmd.exe mshta.exe PID 1468 wrote to memory of 3736 1468 cmd.exe mshta.exe PID 1468 wrote to memory of 3736 1468 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order_07.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\captionEx.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\captionEx.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 13244⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 16324⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\captionEx.htaMD5
111964af02201e77ad219f7562bf19b2
SHA19a48e4281a89383ff5af45ee2f2bf710704e5152
SHA256fb2a3eb78ef18021bd6da3398fb8d935fd3884f418dda72fc123903501b5b503
SHA512141c2dac7594678bc7da7de7e9dfc4e90a6a6b4e5ee5985b03f37e97827b59e0bbb6509d88ab6a3cf129de2eb1660b90fb953f2abce441f5d37154d2f3c34784
-
memory/1468-190-0x0000000000000000-mapping.dmp
-
memory/3736-234-0x0000000000000000-mapping.dmp
-
memory/4056-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmpFilesize
64KB
-
memory/4056-118-0x00007FF846A80000-0x00007FF8495A3000-memory.dmpFilesize
43.1MB
-
memory/4056-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmpFilesize
16.9MB
-
memory/4056-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmpFilesize
31.0MB