Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 17:40
Static task
static1
Behavioral task
behavioral1
Sample
intelligence_07.27.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
intelligence_07.27.2021.doc
Resource
win10v20210408
General
-
Target
intelligence_07.27.2021.doc
-
Size
72KB
-
MD5
84b78d80895fe5083e2ff0ffe168552f
-
SHA1
3baa771fb2fcee216745d52fd770c7def5772ebd
-
SHA256
daaa7914f4ef2d951bd89f50803160bba1ac86e6ae3d66798c35e262f20587d9
-
SHA512
995b08b4a9013ce7e2fb5baa91582b37b1ae960b572c8f30b80fd8464116405bcb18c7e80de766d290b8f7644ddbe562c03e9e4605c593b9db7b978c9f6315b1
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2304 652 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3352 3976 cmd.exe WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3956 4016 WerFault.exe mshta.exe 3200 2752 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 21 IoCs
Processes:
WINWORD.EXEcmd.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000abfff087702cd7019e430347762cd7019e430347762cd70114000000 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 = 5000310000000000fb52a19d10004c6f63616c003c0009000400efbe8852a461fb52a19d2e0000003d530100000001000000000000000000000000000000e0ffa0004c006f00630061006c00000014000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\MRUListEx = 00000000ffffffff WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\NodeSlot = "4" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\MRUListEx = ffffffff WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = 00000000ffffffff WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\MRUListEx = 00000000ffffffff WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000100000000000000ffffffff WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 = 820074001c004346534616003100000000008852a461120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe8852a4618852a4612e0000002a530100000001000000000000000000000000000000c54d08014100700070004400610074006100000042000000 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0 = 4e00310000000000fb52a19d100054656d7000003a0009000400efbe8852a461fb52a19d2e0000003e530100000001000000000000000000000000000000a9ed6e00540065006d007000000014000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 652 WINWORD.EXE 652 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3956 WerFault.exe Token: SeBackupPrivilege 3956 WerFault.exe Token: SeDebugPrivilege 3956 WerFault.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 652 wrote to memory of 2304 652 WINWORD.EXE cmd.exe PID 652 wrote to memory of 2304 652 WINWORD.EXE cmd.exe PID 2304 wrote to memory of 4016 2304 cmd.exe mshta.exe PID 2304 wrote to memory of 4016 2304 cmd.exe mshta.exe PID 2304 wrote to memory of 4016 2304 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence_07.27.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\htmlCoreCode.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\htmlCoreCode.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 13124⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence_07.27.2021.doc" /o ""1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence_07.27.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\htmlCoreCode.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\htmlCoreCode.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 15564⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlMD5
ebf90aa0c7609ab4896cdec329f08edc
SHA12a8f73ddc3dfcffc573059272917076eec216571
SHA256d31d2659138898941690e8cf29e61b30d9e72a22f88eae48e1576c29f2262aa2
SHA512e3a4a7b4435e31903e692b9e0d40ed43f62dfdb10c16763e681ea886f6d44f906e36d6c2507f6f03e414c4dceab6e13aad16bcb8e39451421c36f4d0ed6fc5d4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbMD5
b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\programdata\htmlCoreCode.htaMD5
731a2fa48b5afb2a83011c9362d5aeb8
SHA14cc03587f43f8c3381b6715effda841bffba5f73
SHA256b2d4c83861333f33b0ea498137a8135cf28561fbf7dbf2fb4f8bd6beaab38c9b
SHA5127fd27fe39a77964092c81b7f1e77741c2413019856acd88b74b6e0dbf84294de15f8dfe1f228eb309034da7d272b5008008589099d2cc7f0bb8f4e35ea2939fe
-
C:\programdata\htmlCoreCode.htaMD5
731a2fa48b5afb2a83011c9362d5aeb8
SHA14cc03587f43f8c3381b6715effda841bffba5f73
SHA256b2d4c83861333f33b0ea498137a8135cf28561fbf7dbf2fb4f8bd6beaab38c9b
SHA5127fd27fe39a77964092c81b7f1e77741c2413019856acd88b74b6e0dbf84294de15f8dfe1f228eb309034da7d272b5008008589099d2cc7f0bb8f4e35ea2939fe
-
memory/652-123-0x00007FFD09880000-0x00007FFD0B775000-memory.dmpFilesize
31.0MB
-
memory/652-114-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/652-115-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/652-116-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/652-117-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/652-119-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/652-118-0x00007FFD10FD0000-0x00007FFD13AF3000-memory.dmpFilesize
43.1MB
-
memory/652-122-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmpFilesize
16.9MB
-
memory/1408-343-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/1408-333-0x00007FFD09880000-0x00007FFD0B775000-memory.dmpFilesize
31.0MB
-
memory/1408-329-0x00007FFD10FD0000-0x00007FFD13AF3000-memory.dmpFilesize
43.1MB
-
memory/1408-332-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmpFilesize
16.9MB
-
memory/1408-342-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/1408-344-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/1408-345-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/2304-259-0x0000000000000000-mapping.dmp
-
memory/2752-560-0x0000000000000000-mapping.dmp
-
memory/3352-526-0x0000000000000000-mapping.dmp
-
memory/3976-436-0x00007FFD0BE80000-0x00007FFD0CF6E000-memory.dmpFilesize
16.9MB
-
memory/3976-437-0x00007FFD09AB0000-0x00007FFD0B9A5000-memory.dmpFilesize
31.0MB
-
memory/3976-434-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/3976-432-0x00007FFD10FD0000-0x00007FFD13AF3000-memory.dmpFilesize
43.1MB
-
memory/3976-431-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/3976-428-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/3976-430-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/3976-429-0x00007FFCEFED0000-0x00007FFCEFEE0000-memory.dmpFilesize
64KB
-
memory/4016-261-0x0000000000000000-mapping.dmp