Analysis
-
max time kernel
136s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 16:50
Static task
static1
Behavioral task
behavioral1
Sample
inquiry,010.21.2021.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
inquiry,010.21.2021.doc
Resource
win10-en-20210920
General
-
Target
inquiry,010.21.2021.doc
-
Size
34KB
-
MD5
b9470a968a6edf4b2ce6c52d69610235
-
SHA1
5219339d196bd7c698f51973c06c1a32370d9f65
-
SHA256
bdd3eeea2e9c2930f75115dc2bccfef990d6aae5d8b0253c1e0effa0b1911b5b
-
SHA512
bdbec4af4913e9b87603f3d1c946667782803f32a8d194de4aa9ce7eae0da7c1b16b8bfbc9d467bba1aa5e9a48ff650aaf26c886a2d1c1cb9d7fc5dc732e85ea
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 5068 764 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 33 5068 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 764 WINWORD.EXE 764 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE 764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 764 wrote to memory of 5068 764 WINWORD.EXE mshta.exe PID 764 wrote to memory of 5068 764 WINWORD.EXE mshta.exe PID 764 wrote to memory of 5068 764 WINWORD.EXE mshta.exe PID 5068 wrote to memory of 4364 5068 mshta.exe regsvr32.exe PID 5068 wrote to memory of 4364 5068 mshta.exe regsvr32.exe PID 5068 wrote to memory of 4364 5068 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\inquiry,010.21.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\kingSeaCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\carolineLadySea.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\kingSeaCaroline.htaMD5
fc60bfbcfb72c73cf4380e3d69f8ff30
SHA1ec4c91db6a6459c765e90db04294094f264d28c3
SHA256f4c0fdcc5b0a4f27af58e52571b63b121d09ae37f5d9772d68c2912f6c2ae58b
SHA512f21c3e33042434d1bd0a4ff74210a280f5f30b8c36f0b5623f1659e8f0ef7a5c79a643864b1e6032fb69485a8c7dd10d983640784d678b8d04688d4a315f675a
-
\??\c:\users\public\carolineLadySea.jpgMD5
4007b2db898dbd042f6f62a3e60539ae
SHA15f926b178fc208723ee165a120f7570a1f1c0dbe
SHA2565a8fb71dcd8a5b56672ffae188baab6370648a2b9ca0dc763add672db2cac0d0
SHA5124ff8b9db8d2271d971369ab15256a7746533f7545d61b85a09edb86297d61206ade0bac69cc726ea8cc819ada9f37d5148cc1c0199ef4e1520815bbaf47e30f6
-
memory/764-115-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/764-116-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/764-117-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/764-118-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/764-119-0x000002130A940000-0x000002130A942000-memory.dmpFilesize
8KB
-
memory/764-120-0x000002130A940000-0x000002130A942000-memory.dmpFilesize
8KB
-
memory/764-121-0x00007FFD783B0000-0x00007FFD783C0000-memory.dmpFilesize
64KB
-
memory/764-122-0x000002130A940000-0x000002130A942000-memory.dmpFilesize
8KB
-
memory/4364-278-0x0000000000000000-mapping.dmp
-
memory/5068-260-0x0000000000000000-mapping.dmp