164f30f3849b54f2e3c1aef75cfc9a9f4c6f39df382656ef3eac9d7d3b1d0f52

General

Target

figures-07.21.doc
Size

68KB
MD5

770a8bde63b2e589403e5ee9f3e4cc1a
SHA1

6e52cb2ffebde22b9a9870a8ea8b4e26922f9f22
SHA256

164f30f3849b54f2e3c1aef75cfc9a9f4c6f39df382656ef3eac9d7d3b1d0f52
SHA512

df95e8d07a4eef860653a9a9ab3272201ccbcba0a67a3ba918880da79df9dbece4ffac7b38ecfca33cf15bb6b2d1a42e93fd9692bbef5af05a40f2664d17e3a3

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1568	564	cmd.exe	WINWORD.EXE

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1792 created 1200 1792 regsvr32.exe Explorer.EXE
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 1556 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

pid process

1292 regsvr32.exe
1792 regsvr32.exe
1748 regsvr32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1792 set thread context of 2012 1792 regsvr32.exe chrome.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 1792 created 1200	1792	regsvr32.exe	Explorer.EXE

flow	pid	process
5	1556	mshta.exe

pid	process
1292	regsvr32.exe
1792	regsvr32.exe
1748	regsvr32.exe

description	pid	process	target process
PID 1792 set thread context of 2012	1792	regsvr32.exe	chrome.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exeWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

564 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

1792 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

564 WINWORD.EXE
564 WINWORD.EXE

pid	process
564	WINWORD.EXE

pid	process
1792	regsvr32.exe

pid	process
564	WINWORD.EXE
564	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 564 wrote to memory of 1568	564	WINWORD.EXE	cmd.exe
PID 564 wrote to memory of 1568	564	WINWORD.EXE	cmd.exe
PID 564 wrote to memory of 1568	564	WINWORD.EXE	cmd.exe
PID 564 wrote to memory of 1568	564	WINWORD.EXE	cmd.exe
PID 1568 wrote to memory of 1556	1568	cmd.exe	mshta.exe
PID 1568 wrote to memory of 1556	1568	cmd.exe	mshta.exe
PID 1568 wrote to memory of 1556	1568	cmd.exe	mshta.exe
PID 1568 wrote to memory of 1556	1568	cmd.exe	mshta.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1556 wrote to memory of 1292	1556	mshta.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 1292 wrote to memory of 1792	1292	regsvr32.exe	regsvr32.exe
PID 564 wrote to memory of 960	564	WINWORD.EXE	splwow64.exe
PID 564 wrote to memory of 960	564	WINWORD.EXE	splwow64.exe
PID 564 wrote to memory of 960	564	WINWORD.EXE	splwow64.exe
PID 564 wrote to memory of 960	564	WINWORD.EXE	splwow64.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe
PID 1792 wrote to memory of 2012	1792	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\figures-07.21.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\programdata\brI.hta
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\brI.hta"
4⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\brI.jpg
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\regsvr32.exe
c:\users\public\brI.jpg
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
PID:2012

C:\Windows\system32\regsvr32.exe
regsvr32 /s "c:\users\public\brI.jpg"
1⤵
- Loads dropped DLL
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ea1dc52e715fc461f24d2c4c012ab2a7

SHA1
90e43978a8116b6def95da5b1eaea038f1ea3f68

SHA256
8d0f05ede03c6c455a03ba725572322ad670a9a7f78007d7bd206732db1d4390

SHA512
99825e3bf09ed057cc91e5edd25c66c06016124edccb86e3327c488ead57defe79ea91732d9b3b1cbfbad42c5a1d2afbb77b2b20400eb201424a4ec22a82fe57

Download Submit
C:\programdata\brI.hta
MD5
8fcd0dbd0852a211a5e97560a3249f94

SHA1
608b8a74563be8a71d6f8b151fbce12a489cab79

SHA256
6b93a32417bedf141d0dc6488ce1a42f21ae06470eca19983c003a6a3901996f

SHA512
05ccb7739bee5b5563c8f1fb8fd1fe5e2c59dc1cd2a77f54809a27da81cfd6d964462f7da7e7817295ca12dd864b41549330d7d083b205eb19b6fb0fb9f7b757

Download Submit
\??\c:\users\public\brI.jpg
MD5
1a0a3f41570af7287e65642c607a3746

SHA1
30851f92c3e1cdd0a2bfb52a803e8eef93bdb669

SHA256
bb63cf1bbf457836cdaa43876fe78270a6fb2feca8f304715b7d2f5b7b69285b

SHA512
f23d1586dd6a9c33358ce184ae13b4d58a26443973068519abfd428aa03152e52f21b2a53bdbd3a4e965a3fe1f15c4680f7a81a6c260c603e96ed2dc1e924e28

Download Submit
\Users\Public\brI.jpg
MD5
1a0a3f41570af7287e65642c607a3746

SHA1
30851f92c3e1cdd0a2bfb52a803e8eef93bdb669

SHA256
bb63cf1bbf457836cdaa43876fe78270a6fb2feca8f304715b7d2f5b7b69285b

SHA512
f23d1586dd6a9c33358ce184ae13b4d58a26443973068519abfd428aa03152e52f21b2a53bdbd3a4e965a3fe1f15c4680f7a81a6c260c603e96ed2dc1e924e28

Download Submit
\Users\Public\brI.jpg
MD5
1a0a3f41570af7287e65642c607a3746

SHA1
30851f92c3e1cdd0a2bfb52a803e8eef93bdb669

SHA256
bb63cf1bbf457836cdaa43876fe78270a6fb2feca8f304715b7d2f5b7b69285b

SHA512
f23d1586dd6a9c33358ce184ae13b4d58a26443973068519abfd428aa03152e52f21b2a53bdbd3a4e965a3fe1f15c4680f7a81a6c260c603e96ed2dc1e924e28

Download Submit
\Users\Public\brI.jpg
MD5
1a0a3f41570af7287e65642c607a3746

SHA1
30851f92c3e1cdd0a2bfb52a803e8eef93bdb669

SHA256
bb63cf1bbf457836cdaa43876fe78270a6fb2feca8f304715b7d2f5b7b69285b

SHA512
f23d1586dd6a9c33358ce184ae13b4d58a26443973068519abfd428aa03152e52f21b2a53bdbd3a4e965a3fe1f15c4680f7a81a6c260c603e96ed2dc1e924e28

Download Submit
memory/564-62-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/564-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmp

Filesize
12KB

Download
memory/564-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/564-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/564-60-0x0000000070531000-0x0000000070533000-memory.dmp

Filesize
8KB

Download
memory/960-76-0x0000000000000000-mapping.dmp

Download
memory/1292-68-0x0000000000000000-mapping.dmp

Download
memory/1556-66-0x0000000000000000-mapping.dmp

Download
memory/1568-63-0x0000000000000000-mapping.dmp

Download
memory/1748-84-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1792-72-0x0000000000000000-mapping.dmp

Download
memory/1792-75-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/1792-73-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/2012-80-0x000000013F970000-0x000000013FBB5000-memory.dmp

Filesize
2.3MB

Download
memory/2012-79-0x000000013FB877D8-mapping.dmp

Download
memory/2012-78-0x000000013F970000-0x000000013FBB5000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads