Overview

overview

10

Static

static

intelligen...21.doc

windows7_x64

10

intelligen...21.doc

windows10_x64

10

Resubmissions

19-08-2021 15:30

210819-gxssltz4hn 10

27-07-2021 17:40

210727-76r6w1an9n 10

Analysis

  • max time kernel
    326s
  • max time network
    1448s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-08-2021 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    intelligence_07.27.2021.doc

  • Size

    72KB

  • MD5

    84b78d80895fe5083e2ff0ffe168552f

  • SHA1

    3baa771fb2fcee216745d52fd770c7def5772ebd

  • SHA256

    daaa7914f4ef2d951bd89f50803160bba1ac86e6ae3d66798c35e262f20587d9

  • SHA512

    995b08b4a9013ce7e2fb5baa91582b37b1ae960b572c8f30b80fd8464116405bcb18c7e80de766d290b8f7644ddbe562c03e9e4605c593b9db7b978c9f6315b1

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence_07.27.2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\programdata\htmlCoreCode.hta
      2⤵
      • Process spawned unexpected child process
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\htmlCoreCode.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
          PID:2212
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1312
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\programdata\htmlCoreCode.hta
      MD5

      731a2fa48b5afb2a83011c9362d5aeb8

      SHA1

      4cc03587f43f8c3381b6715effda841bffba5f73

      SHA256

      b2d4c83861333f33b0ea498137a8135cf28561fbf7dbf2fb4f8bd6beaab38c9b

      SHA512

      7fd27fe39a77964092c81b7f1e77741c2413019856acd88b74b6e0dbf84294de15f8dfe1f228eb309034da7d272b5008008589099d2cc7f0bb8f4e35ea2939fe

      Download Submit
    • memory/2212-145-0x0000000000000000-mapping.dmp
      Download
    • memory/3008-117-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-114-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-118-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-119-0x00007FFFDF930000-0x00007FFFE2453000-memory.dmp
      Filesize

      43.1MB

      Download
    • memory/3008-122-0x0000028D70A20000-0x0000028D71B0E000-memory.dmp
      Filesize

      16.9MB

      Download
    • memory/3008-123-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmp
      Filesize

      31.0MB

      Download
    • memory/3008-116-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-115-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-347-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-348-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-349-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3008-350-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3748-143-0x0000000000000000-mapping.dmp
      Download