Analysis
-
max time kernel
109s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 14:43
Static task
static1
Behavioral task
behavioral1
Sample
tell,07.27.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
tell,07.27.21.doc
Resource
win10v20210410
General
-
Target
tell,07.27.21.doc
-
Size
74KB
-
MD5
d19eb38aa7f7b4523fc5500421a28fd6
-
SHA1
64accb8248012c61c317f7be8d8d5c53121fd1e1
-
SHA256
5f977be3728f4430755cc34c8be0fad95d9b5882c5397f30f82243ec6085beac
-
SHA512
6506bd287f582db22a232d6276e18d82d4449fb899c7c4fe2816b0bf5b79344ef6e13fdadd0ae24bd2a72668bafb67ca58813d7c786d92f19a6ee010a253a6e5
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3152 4092 cmd.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2848 created 3288 2848 WerFault.exe mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 516 3288 WerFault.exe mshta.exe 2848 3288 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe 516 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 516 WerFault.exe Token: SeBackupPrivilege 516 WerFault.exe Token: SeDebugPrivilege 516 WerFault.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 4092 wrote to memory of 3152 4092 WINWORD.EXE cmd.exe PID 4092 wrote to memory of 3152 4092 WINWORD.EXE cmd.exe PID 3152 wrote to memory of 3288 3152 cmd.exe mshta.exe PID 3152 wrote to memory of 3288 3152 cmd.exe mshta.exe PID 3152 wrote to memory of 3288 3152 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tell,07.27.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\variableProcProc.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\variableProcProc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 13684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 16404⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\variableProcProc.htaMD5
c3bbf2b8611fa3dc96c7103cf08a47ce
SHA1be8d2925e19e70efb808f10a9e76c257f975fb86
SHA2560e934cb850a20bae825bd22d3d1050323944f6253e942953b5df777eeae0e4c4
SHA512d6dbec60a2eb20a7453036adbc26f9c5b0c9b6ca0ebcf6d982c947063fa383dde8aecf773b88ffe492322b3db01f55c1ade00ebc910ea001eae214fabed0427a
-
memory/3152-235-0x0000000000000000-mapping.dmp
-
memory/3288-261-0x0000000000000000-mapping.dmp
-
memory/4092-117-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-119-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-118-0x00007FFF97F10000-0x00007FFF9AA33000-memory.dmpFilesize
43.1MB
-
memory/4092-122-0x00007FFF92A50000-0x00007FFF93B3E000-memory.dmpFilesize
16.9MB
-
memory/4092-123-0x00007FFF90A80000-0x00007FFF92975000-memory.dmpFilesize
31.0MB
-
memory/4092-114-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-116-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-115-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-344-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-345-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-346-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB
-
memory/4092-347-0x00007FFF77040000-0x00007FFF77050000-memory.dmpFilesize
64KB