Analysis
-
max time kernel
102s -
max time network
1813s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 20:51
Static task
static1
Behavioral task
behavioral1
Sample
dictate 010.21.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
dictate 010.21.doc
Resource
win10-en-20210920
General
-
Target
dictate 010.21.doc
-
Size
34KB
-
MD5
3128a1aa061355d275cd323336148c4a
-
SHA1
63b5fba4691c68f0c268fd65b6dda64150b4facc
-
SHA256
1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060
-
SHA512
04d1e8e2b360a87f2e37a1d036cd415c4078546577cdc02528e1f32c64df917b86bb95a011e8b36eed30d3c18bf1633db458feb5140c28e076c2b170f621559a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3996 2484 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 23 3996 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2484 WINWORD.EXE 2484 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE 2484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 2484 wrote to memory of 3996 2484 WINWORD.EXE mshta.exe PID 2484 wrote to memory of 3996 2484 WINWORD.EXE mshta.exe PID 2484 wrote to memory of 3996 2484 WINWORD.EXE mshta.exe PID 3996 wrote to memory of 4040 3996 mshta.exe regsvr32.exe PID 3996 wrote to memory of 4040 3996 mshta.exe regsvr32.exe PID 3996 wrote to memory of 4040 3996 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate 010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redKingIn.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\carolineLineLine.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\redKingIn.htaMD5
fde6308f2d09731ef8c3457908ab41f3
SHA1ff38e422ee794d25942fd01363154f6afd2039fa
SHA2568f3d9dcbdd0b408eca4f7224a5f900ce86e3c9400ff96cc427a8c2a9c7105370
SHA512405b0a6fb6b8930519263537ff673e42fb13eee54e14622229cf3d16187ee7512270f72c220501f26cc49a41c46c101a180045b59e7130dfa8bdf0df20144993
-
\??\c:\users\public\carolineLineLine.jpgMD5
5683303d13e59e8f2ae2b78cb029bdd4
SHA1cfc630eaf7609630f888f00a7c5f15bbf1f3feed
SHA25663c6c4f9e8f7c33480fe8b758d906c1b5ce25d373db95caec64e03e3476de78d
SHA5129c873e65fd593447f27d61f9188d8b504760c11759bbb4b8936ab98650604c60a9c65c5363347a6ea159e41a278d41c616eaffa7925808865e0772a2f394254e
-
memory/2484-115-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmpFilesize
64KB
-
memory/2484-116-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmpFilesize
64KB
-
memory/2484-117-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmpFilesize
64KB
-
memory/2484-118-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmpFilesize
64KB
-
memory/2484-120-0x0000022792480000-0x0000022792482000-memory.dmpFilesize
8KB
-
memory/2484-119-0x0000022792480000-0x0000022792482000-memory.dmpFilesize
8KB
-
memory/2484-121-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmpFilesize
64KB
-
memory/2484-122-0x0000022792480000-0x0000022792482000-memory.dmpFilesize
8KB
-
memory/3996-260-0x0000000000000000-mapping.dmp
-
memory/4040-290-0x0000000000000000-mapping.dmp