0e412a3579154b025a22360faf38aac50ddb3b02d1b71e0293588f341306593a

General

Target

documents-010.21.doc
Size

34KB
MD5

45b351e528729b2497285224a2cba401
SHA1

49cca34a6d2338c575cd82e9eff6984f388e50a9
SHA256

0e412a3579154b025a22360faf38aac50ddb3b02d1b71e0293588f341306593a
SHA512

3a1e4032e37850250213a61911f4229eb33defc5f508bbfa71fd9cc794bfa47c86bc121acd8acddf241d8d6dfc07819ee73f7bfa151d6e5f1886c1cba2f19be8

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4132	4004	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

29 4132 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
29	4132	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4004 WINWORD.EXE
4004 WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	process
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE
4004	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEmshta.exe

description	pid	process	target process
PID 4004 wrote to memory of 4132	4004	WINWORD.EXE	mshta.exe
PID 4004 wrote to memory of 4132	4004	WINWORD.EXE	mshta.exe
PID 4004 wrote to memory of 4132	4004	WINWORD.EXE	mshta.exe
PID 4132 wrote to memory of 4188	4132	mshta.exe	regsvr32.exe
PID 4132 wrote to memory of 4188	4132	mshta.exe	regsvr32.exe
PID 4132 wrote to memory of 4188	4132	mshta.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documents-010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\youRedIn.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\inMyLady.jpg
3⤵
PID:4188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\youRedIn.hta
MD5
0a09a757949b5b5554a841daa5b88a99

SHA1
0dfddb99a5f716ee2f7cf213e11f9a543fa1210b

SHA256
e317a76deca332dd12cd1888a86c794485862b07e0f06d15e5f91cc6d439eb82

SHA512
ff23dfcbcc7e26e189f58026c9c6f56686a84e4dc54e11031b7a93769864c1725eb86e85981822a2200db719068e6683138a8e2f837349eaf4dab77674165fa3

Download Submit
\??\c:\users\public\inMyLady.jpg
MD5
504f2870481c875c03373249cdf38e49

SHA1
7f34068ef0f8b8208003aec1e2f6742125c47acf

SHA256
57ce0aa9c7767160043b7b4e0778043697ee1ee90c05409325a82007a7ef7c5f

SHA512
2c5e35de54a4f8658b01d144d5d1ba935cb851badcc96993492be298452ea7d0036bdfbc1d6e1091fecd074a400e31b53e1f7f4211bddf6d515bfbe6952535aa

Download Submit
memory/4004-115-0x00007FF963030000-0x00007FF963040000-memory.dmp

Filesize
64KB

Download
memory/4004-116-0x00007FF963030000-0x00007FF963040000-memory.dmp

Filesize
64KB

Download
memory/4004-117-0x00007FF963030000-0x00007FF963040000-memory.dmp

Filesize
64KB

Download
memory/4004-118-0x00007FF963030000-0x00007FF963040000-memory.dmp

Filesize
64KB

Download
memory/4004-120-0x0000026953D80000-0x0000026953D82000-memory.dmp

Filesize
8KB

Download
memory/4004-119-0x0000026953D80000-0x0000026953D82000-memory.dmp

Filesize
8KB

Download
memory/4004-121-0x00007FF963030000-0x00007FF963040000-memory.dmp

Filesize
64KB

Download
memory/4004-122-0x0000026953D80000-0x0000026953D82000-memory.dmp

Filesize
8KB

Download
memory/4132-260-0x0000000000000000-mapping.dmp

Download
memory/4188-285-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads