Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
dictate-010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
dictate-010.21.doc
Resource
win10-en-20211014
General
-
Target
dictate-010.21.doc
-
Size
34KB
-
MD5
27c6e3a95419811dade0a91336ed78ba
-
SHA1
1cb11df53cb076607bb6c3aac65c9efd7238e5c0
-
SHA256
aa8f2b060e929883fab4209f54d43b5c7ac75d98926180a61c13eca889cddeb3
-
SHA512
d83ff89f2a06d0ee3913bad17262cf0bcacdc9a1147592458e7ba79dc63a9a592ea5d1e12c3c96d15d55bfe435eb015a12a019c0114a318733d5508ca3f8f0c9
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4928 4336 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 37 4928 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4336 WINWORD.EXE 4336 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
Processes:
WINWORD.EXEpid process 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE 4336 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEmshta.exedescription pid process target process PID 4336 wrote to memory of 4928 4336 WINWORD.EXE mshta.exe PID 4336 wrote to memory of 4928 4336 WINWORD.EXE mshta.exe PID 4336 wrote to memory of 4928 4336 WINWORD.EXE mshta.exe PID 4928 wrote to memory of 400 4928 mshta.exe regsvr32.exe PID 4928 wrote to memory of 400 4928 mshta.exe regsvr32.exe PID 4928 wrote to memory of 400 4928 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate-010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaYouCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\seaLadyLine.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\seaYouCaroline.htaMD5
836cfe47fac47e317b075e1221957676
SHA15f55dd4c8572c8c5e52bafca8c89e1ad0d97e11f
SHA256ae195755cd0ed8279ea7f7666a420fa45afb4863839999a3f541264213ffa175
SHA512cf99e94fe171e8ee9df723b68105e197c79999eaa9dfde1a2bb7d456473c8ef2637f6b05495b9ad021bc60d5abd561794fd13833ed6e1e48e90307376c5b0585
-
\??\c:\users\public\seaLadyLine.jpgMD5
504f2870481c875c03373249cdf38e49
SHA17f34068ef0f8b8208003aec1e2f6742125c47acf
SHA25657ce0aa9c7767160043b7b4e0778043697ee1ee90c05409325a82007a7ef7c5f
SHA5122c5e35de54a4f8658b01d144d5d1ba935cb851badcc96993492be298452ea7d0036bdfbc1d6e1091fecd074a400e31b53e1f7f4211bddf6d515bfbe6952535aa
-
memory/400-287-0x0000000000000000-mapping.dmp
-
memory/4336-115-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmpFilesize
64KB
-
memory/4336-116-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmpFilesize
64KB
-
memory/4336-117-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmpFilesize
64KB
-
memory/4336-118-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmpFilesize
64KB
-
memory/4336-119-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmpFilesize
8KB
-
memory/4336-120-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmpFilesize
8KB
-
memory/4336-121-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmpFilesize
64KB
-
memory/4336-122-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmpFilesize
8KB
-
memory/4928-256-0x0000000000000000-mapping.dmp