Overview

overview

10

Static

static

order_07.21.doc

windows7_x64

10

order_07.21.doc

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-07-2021 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order_07.21.doc

  • Size

    87KB

  • MD5

    401b19c454075d52bd832725f3c22cfe

  • SHA1

    088f76c184a0cba673abc41bd5582e4e21672fdd

  • SHA256

    6b94e6319e46f52058d5f0c1bc07d7e367152e3bb769f2fd1af097914fe64ce3

  • SHA512

    b83ddf0a5dc6174591e0c07a1b87f5ffb5a1efa731913707829195415bed70a5dff43d9669e948e509fd3e77d15986391e1e01b9344c2694dd1b0fba5b87f894

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\order_07.21.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\programdata\captionEx.hta
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\captionEx.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:3736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1324
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3144
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1632
            4⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            PID:2252

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\captionEx.hta
      MD5

      111964af02201e77ad219f7562bf19b2

      SHA1

      9a48e4281a89383ff5af45ee2f2bf710704e5152

      SHA256

      fb2a3eb78ef18021bd6da3398fb8d935fd3884f418dda72fc123903501b5b503

      SHA512

      141c2dac7594678bc7da7de7e9dfc4e90a6a6b4e5ee5985b03f37e97827b59e0bbb6509d88ab6a3cf129de2eb1660b90fb953f2abce441f5d37154d2f3c34784

      Download Submit
    • memory/1468-190-0x0000000000000000-mapping.dmp
      Download
    • memory/3736-234-0x0000000000000000-mapping.dmp
      Download
    • memory/4056-114-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4056-115-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4056-116-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4056-117-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4056-119-0x00007FF8256F0000-0x00007FF825700000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4056-118-0x00007FF846A80000-0x00007FF8495A3000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/4056-122-0x00007FF8413C0000-0x00007FF8424AE000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/4056-123-0x00007FF83F4C0000-0x00007FF8413B5000-memory.dmp
      Filesize

      31.0MB

      Download