Analysis
-
max time kernel
113s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 17:02
Static task
static1
Behavioral task
behavioral1
Sample
documents-010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
documents-010.21.doc
Resource
win10-en-20210920
General
-
Target
documents-010.21.doc
-
Size
34KB
-
MD5
45b351e528729b2497285224a2cba401
-
SHA1
49cca34a6d2338c575cd82e9eff6984f388e50a9
-
SHA256
0e412a3579154b025a22360faf38aac50ddb3b02d1b71e0293588f341306593a
-
SHA512
3a1e4032e37850250213a61911f4229eb33defc5f508bbfa71fd9cc794bfa47c86bc121acd8acddf241d8d6dfc07819ee73f7bfa151d6e5f1886c1cba2f19be8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4132 4004 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 29 4132 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 4004 wrote to memory of 4132 4004 WINWORD.EXE mshta.exe PID 4004 wrote to memory of 4132 4004 WINWORD.EXE mshta.exe PID 4004 wrote to memory of 4132 4004 WINWORD.EXE mshta.exe PID 4132 wrote to memory of 4188 4132 mshta.exe regsvr32.exe PID 4132 wrote to memory of 4188 4132 mshta.exe regsvr32.exe PID 4132 wrote to memory of 4188 4132 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documents-010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\youRedIn.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\inMyLady.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\youRedIn.htaMD5
0a09a757949b5b5554a841daa5b88a99
SHA10dfddb99a5f716ee2f7cf213e11f9a543fa1210b
SHA256e317a76deca332dd12cd1888a86c794485862b07e0f06d15e5f91cc6d439eb82
SHA512ff23dfcbcc7e26e189f58026c9c6f56686a84e4dc54e11031b7a93769864c1725eb86e85981822a2200db719068e6683138a8e2f837349eaf4dab77674165fa3
-
\??\c:\users\public\inMyLady.jpgMD5
504f2870481c875c03373249cdf38e49
SHA17f34068ef0f8b8208003aec1e2f6742125c47acf
SHA25657ce0aa9c7767160043b7b4e0778043697ee1ee90c05409325a82007a7ef7c5f
SHA5122c5e35de54a4f8658b01d144d5d1ba935cb851badcc96993492be298452ea7d0036bdfbc1d6e1091fecd074a400e31b53e1f7f4211bddf6d515bfbe6952535aa
-
memory/4004-115-0x00007FF963030000-0x00007FF963040000-memory.dmpFilesize
64KB
-
memory/4004-116-0x00007FF963030000-0x00007FF963040000-memory.dmpFilesize
64KB
-
memory/4004-117-0x00007FF963030000-0x00007FF963040000-memory.dmpFilesize
64KB
-
memory/4004-118-0x00007FF963030000-0x00007FF963040000-memory.dmpFilesize
64KB
-
memory/4004-120-0x0000026953D80000-0x0000026953D82000-memory.dmpFilesize
8KB
-
memory/4004-119-0x0000026953D80000-0x0000026953D82000-memory.dmpFilesize
8KB
-
memory/4004-121-0x00007FF963030000-0x00007FF963040000-memory.dmpFilesize
64KB
-
memory/4004-122-0x0000026953D80000-0x0000026953D82000-memory.dmpFilesize
8KB
-
memory/4132-260-0x0000000000000000-mapping.dmp
-
memory/4188-285-0x0000000000000000-mapping.dmp