65268850ea8acf0d95948bee63f12e251526355fb456ba2432a82523bf11c654

General

Target

report-010.21.doc
Size

34KB
MD5

b5aeb8860efdadb611317b402c5c2041
SHA1

529499499ecc872c36dc6883a8b26f9233cbe335
SHA256

65268850ea8acf0d95948bee63f12e251526355fb456ba2432a82523bf11c654
SHA512

0cc703ac915d52670c2eab3f19320ff0550cc38a41cb104793944c9d7ca4aa6df453f50deb7406dda00c7af431796ecfc6fb807f30d90cc931aa6f7b8627bf40

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3544	3496	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

38 3544 mshta.exe

flow	pid	process
38	3544	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3496 WINWORD.EXE
3496 WINWORD.EXE

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

WINWORD.EXE

pid	process
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3496 wrote to memory of 3544	3496	WINWORD.EXE	mshta.exe
PID 3496 wrote to memory of 3544	3496	WINWORD.EXE	mshta.exe
PID 3496 wrote to memory of 3544	3496	WINWORD.EXE	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\report-010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\kingSeaCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\kingSeaCaroline.hta
MD5
fc60bfbcfb72c73cf4380e3d69f8ff30

SHA1
ec4c91db6a6459c765e90db04294094f264d28c3

SHA256
f4c0fdcc5b0a4f27af58e52571b63b121d09ae37f5d9772d68c2912f6c2ae58b

SHA512
f21c3e33042434d1bd0a4ff74210a280f5f30b8c36f0b5623f1659e8f0ef7a5c79a643864b1e6032fb69485a8c7dd10d983640784d678b8d04688d4a315f675a

Download Submit
memory/3496-115-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmp

Filesize
64KB

Download
memory/3496-116-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmp

Filesize
64KB

Download
memory/3496-117-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmp

Filesize
64KB

Download
memory/3496-118-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmp

Filesize
64KB

Download
memory/3496-120-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmp

Filesize
8KB

Download
memory/3496-119-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmp

Filesize
8KB

Download
memory/3496-121-0x00007FFAF61C0000-0x00007FFAF61D0000-memory.dmp

Filesize
64KB

Download
memory/3496-122-0x0000019AFE7C0000-0x0000019AFE7C2000-memory.dmp

Filesize
8KB

Download
memory/3544-256-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads