Overview

overview

10

Static

static

tell,07.27.21.doc

windows7_x64

10

tell,07.27.21.doc

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tell,07.27.21.doc

  • Size

    74KB

  • MD5

    d19eb38aa7f7b4523fc5500421a28fd6

  • SHA1

    64accb8248012c61c317f7be8d8d5c53121fd1e1

  • SHA256

    5f977be3728f4430755cc34c8be0fad95d9b5882c5397f30f82243ec6085beac

  • SHA512

    6506bd287f582db22a232d6276e18d82d4449fb899c7c4fe2816b0bf5b79344ef6e13fdadd0ae24bd2a72668bafb67ca58813d7c786d92f19a6ee010a253a6e5

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tell,07.27.21.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\programdata\variableProcProc.hta
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\variableProcProc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:3288
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1368
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:516
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1640
            4⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            PID:2848

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\variableProcProc.hta
      MD5

      c3bbf2b8611fa3dc96c7103cf08a47ce

      SHA1

      be8d2925e19e70efb808f10a9e76c257f975fb86

      SHA256

      0e934cb850a20bae825bd22d3d1050323944f6253e942953b5df777eeae0e4c4

      SHA512

      d6dbec60a2eb20a7453036adbc26f9c5b0c9b6ca0ebcf6d982c947063fa383dde8aecf773b88ffe492322b3db01f55c1ade00ebc910ea001eae214fabed0427a

      Download Submit
    • memory/3152-235-0x0000000000000000-mapping.dmp
      Download
    • memory/3288-261-0x0000000000000000-mapping.dmp
      Download
    • memory/4092-117-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-119-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-118-0x00007FFF97F10000-0x00007FFF9AA33000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/4092-122-0x00007FFF92A50000-0x00007FFF93B3E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/4092-123-0x00007FFF90A80000-0x00007FFF92975000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/4092-114-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-116-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-115-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-344-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-345-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-346-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4092-347-0x00007FFF77040000-0x00007FFF77050000-memory.dmp
      Filesize

      64KB

      Download