Analysis
-
max time kernel
326s -
max time network
1448s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-08-2021 15:30
Static task
static1
Behavioral task
behavioral1
Sample
intelligence_07.27.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
intelligence_07.27.2021.doc
Resource
win10v20210408
General
-
Target
intelligence_07.27.2021.doc
-
Size
72KB
-
MD5
84b78d80895fe5083e2ff0ffe168552f
-
SHA1
3baa771fb2fcee216745d52fd770c7def5772ebd
-
SHA256
daaa7914f4ef2d951bd89f50803160bba1ac86e6ae3d66798c35e262f20587d9
-
SHA512
995b08b4a9013ce7e2fb5baa91582b37b1ae960b572c8f30b80fd8464116405bcb18c7e80de766d290b8f7644ddbe562c03e9e4605c593b9db7b978c9f6315b1
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3748 3008 cmd.exe WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2152 2212 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3008 WINWORD.EXE 3008 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe 2152 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2152 WerFault.exe Token: SeBackupPrivilege 2152 WerFault.exe Token: SeDebugPrivilege 2152 WerFault.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3008 wrote to memory of 3748 3008 WINWORD.EXE cmd.exe PID 3008 wrote to memory of 3748 3008 WINWORD.EXE cmd.exe PID 3748 wrote to memory of 2212 3748 cmd.exe mshta.exe PID 3748 wrote to memory of 2212 3748 cmd.exe mshta.exe PID 3748 wrote to memory of 2212 3748 cmd.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence_07.27.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c c:\programdata\htmlCoreCode.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\htmlCoreCode.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 13124⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\htmlCoreCode.htaMD5
731a2fa48b5afb2a83011c9362d5aeb8
SHA14cc03587f43f8c3381b6715effda841bffba5f73
SHA256b2d4c83861333f33b0ea498137a8135cf28561fbf7dbf2fb4f8bd6beaab38c9b
SHA5127fd27fe39a77964092c81b7f1e77741c2413019856acd88b74b6e0dbf84294de15f8dfe1f228eb309034da7d272b5008008589099d2cc7f0bb8f4e35ea2939fe
-
memory/2212-145-0x0000000000000000-mapping.dmp
-
memory/3008-117-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-114-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-118-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-119-0x00007FFFDF930000-0x00007FFFE2453000-memory.dmpFilesize
43.1MB
-
memory/3008-122-0x0000028D70A20000-0x0000028D71B0E000-memory.dmpFilesize
16.9MB
-
memory/3008-123-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmpFilesize
31.0MB
-
memory/3008-116-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-115-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-347-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-348-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-349-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-350-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3748-143-0x0000000000000000-mapping.dmp