Analysis
-
max time kernel
143s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en -
submitted
13-09-2021 17:15
Behavioral task
behavioral1
Sample
deed contract,09.21.doc
Resource
win7-en
Behavioral task
behavioral2
Sample
deed contract,09.21.doc
Resource
win10-en
General
-
Target
deed contract,09.21.doc
-
Size
69KB
-
MD5
f609155a19b0b0ab6cbe75bc3cee1496
-
SHA1
b45528f88e07f7db0954d427d43832237c29dee5
-
SHA256
9daf33d2d3b122f8caccbca555164e11046957ed0af5afbb2b243a292d6f2de2
-
SHA512
e735d121b854d761104c5987c35e64e4033dc47834a81f139f511345fcb04e2b8cc14343c33f369c6093b3540ca934569dde7e96040f9ceeb3dddef73f15a2f8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 496 3980 explorer.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1204 created 800 1204 WerFault.exe mshta.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 496 800 WerFault.exe mshta.exe 1204 800 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3980 WINWORD.EXE 3980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe 496 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 496 WerFault.exe Token: SeBackupPrivilege 496 WerFault.exe Token: SeDebugPrivilege 496 WerFault.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE 3980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 3980 wrote to memory of 496 3980 WINWORD.EXE WerFault.exe PID 3980 wrote to memory of 496 3980 WINWORD.EXE WerFault.exe PID 656 wrote to memory of 800 656 explorer.exe mshta.exe PID 656 wrote to memory of 800 656 explorer.exe mshta.exe PID 656 wrote to memory of 800 656 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract,09.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer currCurrPl.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\currCurrPl.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 13323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 16323⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\currCurrPl.htaMD5
29218d420ce0c0f84c301c035801f6ff
SHA1e61258fb5fc9ce9b814b276298885fee5e16083d
SHA256d869fccdb3807528fb62cabc388d4ad9da641fc3354c4432ce2a93ce99e43d3c
SHA512591ee976ab70304faf1283dedea6101cd0b592560984dd60d70e5aabd0e20bb1e24e8f281414a51f7eff842802bd1901b118170431b50720cfad80e4e0c29ea3
-
memory/496-141-0x0000000000000000-mapping.dmp
-
memory/800-144-0x0000000000000000-mapping.dmp
-
memory/3980-115-0x00007FFD08760000-0x00007FFD08770000-memory.dmpFilesize
64KB
-
memory/3980-116-0x00007FFD08760000-0x00007FFD08770000-memory.dmpFilesize
64KB
-
memory/3980-117-0x00007FFD08760000-0x00007FFD08770000-memory.dmpFilesize
64KB
-
memory/3980-118-0x00007FFD08760000-0x00007FFD08770000-memory.dmpFilesize
64KB
-
memory/3980-120-0x00007FFD08760000-0x00007FFD08770000-memory.dmpFilesize
64KB
-
memory/3980-119-0x00007FFD2AEA0000-0x00007FFD2D9C3000-memory.dmpFilesize
43.1MB
-
memory/3980-123-0x0000026926160000-0x000002692724E000-memory.dmpFilesize
16.9MB
-
memory/3980-124-0x00007FFD21E50000-0x00007FFD23D45000-memory.dmpFilesize
31.0MB