1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060

General

Target

dictate 010.21.doc
Size

34KB
MD5

3128a1aa061355d275cd323336148c4a
SHA1

63b5fba4691c68f0c268fd65b6dda64150b4facc
SHA256

1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060
SHA512

04d1e8e2b360a87f2e37a1d036cd415c4078546577cdc02528e1f32c64df917b86bb95a011e8b36eed30d3c18bf1633db458feb5140c28e076c2b170f621559a

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3996	2484	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

23 3996 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
23	3996	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2484 WINWORD.EXE
2484 WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXE

pid	process
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEmshta.exe

description	pid	process	target process
PID 2484 wrote to memory of 3996	2484	WINWORD.EXE	mshta.exe
PID 2484 wrote to memory of 3996	2484	WINWORD.EXE	mshta.exe
PID 2484 wrote to memory of 3996	2484	WINWORD.EXE	mshta.exe
PID 3996 wrote to memory of 4040	3996	mshta.exe	regsvr32.exe
PID 3996 wrote to memory of 4040	3996	mshta.exe	regsvr32.exe
PID 3996 wrote to memory of 4040	3996	mshta.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate 010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redKingIn.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\carolineLineLine.jpg
3⤵
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\redKingIn.hta
MD5
fde6308f2d09731ef8c3457908ab41f3

SHA1
ff38e422ee794d25942fd01363154f6afd2039fa

SHA256
8f3d9dcbdd0b408eca4f7224a5f900ce86e3c9400ff96cc427a8c2a9c7105370

SHA512
405b0a6fb6b8930519263537ff673e42fb13eee54e14622229cf3d16187ee7512270f72c220501f26cc49a41c46c101a180045b59e7130dfa8bdf0df20144993

Download Submit
\??\c:\users\public\carolineLineLine.jpg
MD5
5683303d13e59e8f2ae2b78cb029bdd4

SHA1
cfc630eaf7609630f888f00a7c5f15bbf1f3feed

SHA256
63c6c4f9e8f7c33480fe8b758d906c1b5ce25d373db95caec64e03e3476de78d

SHA512
9c873e65fd593447f27d61f9188d8b504760c11759bbb4b8936ab98650604c60a9c65c5363347a6ea159e41a278d41c616eaffa7925808865e0772a2f394254e

Download Submit
memory/2484-115-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmp

Filesize
64KB

Download
memory/2484-116-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmp

Filesize
64KB

Download
memory/2484-117-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmp

Filesize
64KB

Download
memory/2484-118-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmp

Filesize
64KB

Download
memory/2484-120-0x0000022792480000-0x0000022792482000-memory.dmp

Filesize
8KB

Download
memory/2484-119-0x0000022792480000-0x0000022792482000-memory.dmp

Filesize
8KB

Download
memory/2484-121-0x00007FFDB83C0000-0x00007FFDB83D0000-memory.dmp

Filesize
64KB

Download
memory/2484-122-0x0000022792480000-0x0000022792482000-memory.dmp

Filesize
8KB

Download
memory/3996-260-0x0000000000000000-mapping.dmp

Download
memory/4040-290-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads