Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 21:35
Static task
static1
Behavioral task
behavioral1
Sample
report-010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
report-010.21.doc
Resource
win10-en-20211014
General
-
Target
report-010.21.doc
-
Size
34KB
-
MD5
b5aeb8860efdadb611317b402c5c2041
-
SHA1
529499499ecc872c36dc6883a8b26f9233cbe335
-
SHA256
65268850ea8acf0d95948bee63f12e251526355fb456ba2432a82523bf11c654
-
SHA512
0cc703ac915d52670c2eab3f19320ff0550cc38a41cb104793944c9d7ca4aa6df453f50deb7406dda00c7af431796ecfc6fb807f30d90cc931aa6f7b8627bf40
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3544 3496 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 38 3544 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
WINWORD.EXEpid process 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3496 wrote to memory of 3544 3496 WINWORD.EXE mshta.exe PID 3496 wrote to memory of 3544 3496 WINWORD.EXE mshta.exe PID 3496 wrote to memory of 3544 3496 WINWORD.EXE mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\report-010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\kingSeaCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\kingSeaCaroline.htaMD5
fc60bfbcfb72c73cf4380e3d69f8ff30
SHA1ec4c91db6a6459c765e90db04294094f264d28c3
SHA256f4c0fdcc5b0a4f27af58e52571b63b121d09ae37f5d9772d68c2912f6c2ae58b
SHA512f21c3e33042434d1bd0a4ff74210a280f5f30b8c36f0b5623f1659e8f0ef7a5c79a643864b1e6032fb69485a8c7dd10d983640784d678b8d04688d4a315f675a
-
memory/3496-115-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmpFilesize
64KB
-
memory/3496-116-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmpFilesize
64KB
-
memory/3496-117-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmpFilesize
64KB
-
memory/3496-118-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmpFilesize
64KB
-
memory/3496-120-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmpFilesize
8KB
-
memory/3496-119-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmpFilesize
8KB
-
memory/3496-121-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmpFilesize
64KB
-
memory/3496-122-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmpFilesize
8KB
-
memory/3544-256-0x0000000000000000-mapping.dmp