Analysis
-
max time kernel
112s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 18:38
Static task
static1
Behavioral task
behavioral1
Sample
deed contract,07.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
deed contract,07.21.doc
Resource
win10v20210410
General
-
Target
deed contract,07.21.doc
-
Size
74KB
-
MD5
2d0088012b6c1f399e946a8e5b513e36
-
SHA1
25b7290bf78fce2951ee78df721994890b2d8aad
-
SHA256
f6c286e79ec7023e8ff292c6f71ad0ecc8fef8463e8d2fe1aa0d527c3d833b01
-
SHA512
4a2b1d82a52cf7b268a5abdcac5e17b0d080e18de23bebbd9bb2b39484ff42a525b339dd05f9cd86d38f244d0ba819429cac8d49355e69afea764b435fefd8f4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2104 3920 cmd.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1100 created 1816 1100 WerFault.exe mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 1816 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3920 WINWORD.EXE 3920 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe 1100 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1100 WerFault.exe Token: SeBackupPrivilege 1100 WerFault.exe Token: SeDebugPrivilege 1100 WerFault.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE 3920 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3920 wrote to memory of 2104 3920 WINWORD.EXE cmd.exe PID 3920 wrote to memory of 2104 3920 WINWORD.EXE cmd.exe PID 2104 wrote to memory of 1816 2104 cmd.exe mshta.exe PID 2104 wrote to memory of 1816 2104 cmd.exe mshta.exe PID 2104 wrote to memory of 1816 2104 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,07.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\funcToProc.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\funcToProc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 13004⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\funcToProc.htaMD5
bc4be77135061df095a403023bae0109
SHA12fc60dd93271d314a961e47e18b64ab28ae8d327
SHA256dc57fcce608c4997a28a47c3ba309091a6ca6920b91ec8fa5b859c7fb94193f3
SHA512b002a6527ba4b8d7b0616929bf4dac29341d65798c6fd2ecb45a331de0a9a5753f0cc3d64caf51e7edea1a3b0faa42998dd54abb51a5778e80d5252cb3ec9be4
-
memory/1816-232-0x0000000000000000-mapping.dmp
-
memory/2104-192-0x0000000000000000-mapping.dmp
-
memory/3920-117-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-118-0x00007FF970480000-0x00007FF972FA3000-memory.dmpFilesize
43.1MB
-
memory/3920-119-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-122-0x00007FF969780000-0x00007FF96A86E000-memory.dmpFilesize
16.9MB
-
memory/3920-123-0x00007FF967880000-0x00007FF969775000-memory.dmpFilesize
31.0MB
-
memory/3920-114-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-116-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-115-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-343-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-344-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-345-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB
-
memory/3920-346-0x00007FF94EEB0000-0x00007FF94EEC0000-memory.dmpFilesize
64KB