Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02-08-2021 13:30
Static task
static1
Behavioral task
behavioral1
Sample
facts.08.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
facts.08.21.doc
Resource
win10v20210408
General
-
Target
facts.08.21.doc
-
Size
75KB
-
MD5
97d717e44f8f2faf01af69a10886718a
-
SHA1
87b6c88f1dbc252f957d960f5c3fa9970f5ba76d
-
SHA256
5cd0951a1172d5b029f180da1d44826bb6ca117acf15df52671464038114455f
-
SHA512
7d2aa1ad1b02a393086ed6bcaed85a58c4421962a283cd5e7a088d6a1f03af9f9dead8e4a894ac4a7921507c114f60cce1d198c921965efe3561073af316d259
Malware Config
Signatures
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1972 1672 cmd.exe WINWORD.EXE -
Bazar/Team9 Backdoor payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-78-0x00000000FF400000-0x00000000FF451000-memory.dmp BazarBackdoorVar4 behavioral1/memory/316-79-0x00000000FF4246D0-mapping.dmp BazarBackdoorVar4 behavioral1/memory/316-80-0x00000000FF400000-0x00000000FF451000-memory.dmp BazarBackdoorVar4 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 2024 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 616 regsvr32.exe 1816 regsvr32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1816 set thread context of 316 1816 regsvr32.exe svchost.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exepid process 1816 regsvr32.exe 1816 regsvr32.exe 1816 regsvr32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1672 WINWORD.EXE 1672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exeregsvr32.exeregsvr32.exedescription pid process target process PID 1672 wrote to memory of 1972 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 1972 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 1972 1672 WINWORD.EXE cmd.exe PID 1672 wrote to memory of 1972 1672 WINWORD.EXE cmd.exe PID 1972 wrote to memory of 2024 1972 cmd.exe mshta.exe PID 1972 wrote to memory of 2024 1972 cmd.exe mshta.exe PID 1972 wrote to memory of 2024 1972 cmd.exe mshta.exe PID 1972 wrote to memory of 2024 1972 cmd.exe mshta.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 2024 wrote to memory of 616 2024 mshta.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 616 wrote to memory of 1816 616 regsvr32.exe regsvr32.exe PID 1672 wrote to memory of 1652 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 1652 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 1652 1672 WINWORD.EXE splwow64.exe PID 1672 wrote to memory of 1652 1672 WINWORD.EXE splwow64.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe PID 1816 wrote to memory of 316 1816 regsvr32.exe svchost.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts.08.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\users\public\varForFor.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\varForFor.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\varForFor.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\varForFor.jpg5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup6⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe ,StartW 38156954061⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
82f6f67a0fbe08910a29f23806d2e7a2
SHA1a25d8d39c46921c762314901896328e7ac973258
SHA256e609bdafacc1ba6556f371fddee5822ca2ba182383a8e121f3d36cfa83dfcce0
SHA51244938f8df8037cc78f483ca7cd6c36abe71602b71d4e5d8a5df11aaf3928a7c903edbd7d2356f86eaf7d097289f4b17a8acc413e3387988dd0fc62ce221f6b7e
-
C:\users\public\varForFor.htaMD5
2fe2f205b4408edf309a5ee9056e89e7
SHA1b838a7417d9d5ec5a1c74974690dbbac3cdf5159
SHA2563face3dc221495c3abf4a4c186c54f1f36dd43476b00e956756c874080e786c9
SHA512990ea265a03ec30f53f19e2a78571cee4adf76075ec84e1a765d1680a4cf2f45494f1854a16e4e34d561b8210435e95e0d7efc586983de82ff4f977942f1b174
-
\??\c:\users\public\varForFor.jpgMD5
f060b82d3ee660d4cd49ee38c77256fa
SHA15d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea
SHA25668f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa
SHA512f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059
-
\Users\Public\varForFor.jpgMD5
f060b82d3ee660d4cd49ee38c77256fa
SHA15d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea
SHA25668f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa
SHA512f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059
-
\Users\Public\varForFor.jpgMD5
f060b82d3ee660d4cd49ee38c77256fa
SHA15d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea
SHA25668f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa
SHA512f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059
-
memory/316-78-0x00000000FF400000-0x00000000FF451000-memory.dmpFilesize
324KB
-
memory/316-79-0x00000000FF4246D0-mapping.dmp
-
memory/316-80-0x00000000FF400000-0x00000000FF451000-memory.dmpFilesize
324KB
-
memory/616-68-0x0000000000000000-mapping.dmp
-
memory/1652-76-0x0000000000000000-mapping.dmp
-
memory/1672-83-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1672-61-0x0000000070471000-0x0000000070473000-memory.dmpFilesize
8KB
-
memory/1672-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1672-63-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1672-60-0x00000000729F1000-0x00000000729F4000-memory.dmpFilesize
12KB
-
memory/1816-72-0x0000000000000000-mapping.dmp
-
memory/1816-75-0x00000000002D0000-0x00000000002F5000-memory.dmpFilesize
148KB
-
memory/1816-73-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/1972-64-0x0000000000000000-mapping.dmp
-
memory/2024-67-0x0000000000000000-mapping.dmp