Analysis
-
max time kernel
279s -
max time network
298s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
question.010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
question.010.21.doc
Resource
win10-en-20211014
General
-
Target
question.010.21.doc
-
Size
34KB
-
MD5
7a87ef713680cc71ba38945b305a9579
-
SHA1
08f858b709bea8c5e16bdd026338f02cb7605c88
-
SHA256
2a46ff6e614f60b3166614e9f7f94d0b001cda9b8a2b296e917b0b6aa54dba12
-
SHA512
91473bf2ea429e17198ec0dad53cd8323e4d9b520cf63a57857e45fef7edad823b29a648fcd4f166460a6b1bd43ccbcfe9c2c677d1c97d1885a6108c92cdaba0
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1344 2744 mshta.exe WINWORD.EXE -
suricata: ET MALWARE BazaLoader Activity (GET)
suricata: ET MALWARE BazaLoader Activity (GET)
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/908-293-0x0000000002E90000-0x00000000030B6000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 40 1344 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3028 regsvr32.exe 908 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2744 WINWORD.EXE 2744 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE 2744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEmshta.exeregsvr32.exedescription pid process target process PID 2744 wrote to memory of 1344 2744 WINWORD.EXE mshta.exe PID 2744 wrote to memory of 1344 2744 WINWORD.EXE mshta.exe PID 2744 wrote to memory of 1344 2744 WINWORD.EXE mshta.exe PID 1344 wrote to memory of 3028 1344 mshta.exe regsvr32.exe PID 1344 wrote to memory of 3028 1344 mshta.exe regsvr32.exe PID 1344 wrote to memory of 3028 1344 mshta.exe regsvr32.exe PID 3028 wrote to memory of 908 3028 regsvr32.exe regsvr32.exe PID 3028 wrote to memory of 908 3028 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question.010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaRedSea.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\seaSeaLady.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\seaSeaLady.jpg4⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\seaRedSea.htaMD5
937fd4b981d32e8d76e28d924568fcee
SHA161d97a255a266e21dc326ad44e7c1d350eb0b91e
SHA256c6218d2af935d5b2c97d9d0fb4b2c35aa24709e5704b51c8866ba1af44eb9342
SHA51282646b237109cefa9d2ef6c5de1494052c0f80a7302e91311b96bf3032251932a55ef87c419cb530444c9ac0886a7309e59c840eb075bb5320ff59b28d85a0c2
-
\??\c:\users\public\seaSeaLady.jpgMD5
76c16aea3ab81669aa3f1a5a81f71cb3
SHA1a1205a8accb4fe42effc71d61fd655d891b7426f
SHA2563982db7257a243268b58b4f3dd23e15b55fefbb9eada6ab89e8ff21c80e7e150
SHA512bbe9ea2bd0448e3320c3c402b6d331ab4d85c2cb4928b8f5edeec3ea5973d3a9ba5531056d097a951a88bb73073ce3559344cfe68977f1cabd4a647c00b2cd6f
-
\Users\Public\seaSeaLady.jpgMD5
76c16aea3ab81669aa3f1a5a81f71cb3
SHA1a1205a8accb4fe42effc71d61fd655d891b7426f
SHA2563982db7257a243268b58b4f3dd23e15b55fefbb9eada6ab89e8ff21c80e7e150
SHA512bbe9ea2bd0448e3320c3c402b6d331ab4d85c2cb4928b8f5edeec3ea5973d3a9ba5531056d097a951a88bb73073ce3559344cfe68977f1cabd4a647c00b2cd6f
-
\Users\Public\seaSeaLady.jpgMD5
76c16aea3ab81669aa3f1a5a81f71cb3
SHA1a1205a8accb4fe42effc71d61fd655d891b7426f
SHA2563982db7257a243268b58b4f3dd23e15b55fefbb9eada6ab89e8ff21c80e7e150
SHA512bbe9ea2bd0448e3320c3c402b6d331ab4d85c2cb4928b8f5edeec3ea5973d3a9ba5531056d097a951a88bb73073ce3559344cfe68977f1cabd4a647c00b2cd6f
-
memory/908-293-0x0000000002E90000-0x00000000030B6000-memory.dmpFilesize
2.1MB
-
memory/908-290-0x0000000000000000-mapping.dmp
-
memory/1344-255-0x0000000000000000-mapping.dmp
-
memory/2744-122-0x0000026896F40000-0x0000026896F42000-memory.dmpFilesize
8KB
-
memory/2744-115-0x00007FFCF9770000-0x00007FFCF9780000-memory.dmpFilesize
64KB
-
memory/2744-121-0x0000026896F40000-0x0000026896F42000-memory.dmpFilesize
8KB
-
memory/2744-120-0x0000026896F40000-0x0000026896F42000-memory.dmpFilesize
8KB
-
memory/2744-119-0x00007FFCF9770000-0x00007FFCF9780000-memory.dmpFilesize
64KB
-
memory/2744-118-0x00007FFCF9770000-0x00007FFCF9780000-memory.dmpFilesize
64KB
-
memory/2744-117-0x00007FFCF9770000-0x00007FFCF9780000-memory.dmpFilesize
64KB
-
memory/2744-116-0x00007FFCF9770000-0x00007FFCF9780000-memory.dmpFilesize
64KB
-
memory/3028-281-0x0000000000000000-mapping.dmp