aa8f2b060e929883fab4209f54d43b5c7ac75d98926180a61c13eca889cddeb3

General

Target

dictate-010.21.doc
Size

34KB
MD5

27c6e3a95419811dade0a91336ed78ba
SHA1

1cb11df53cb076607bb6c3aac65c9efd7238e5c0
SHA256

aa8f2b060e929883fab4209f54d43b5c7ac75d98926180a61c13eca889cddeb3
SHA512

d83ff89f2a06d0ee3913bad17262cf0bcacdc9a1147592458e7ba79dc63a9a592ea5d1e12c3c96d15d55bfe435eb015a12a019c0114a318733d5508ca3f8f0c9

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4928	4336	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

37 4928 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
37	4928	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4336 WINWORD.EXE
4336 WINWORD.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXE

pid	process
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE
4336	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEmshta.exe

description	pid	process	target process
PID 4336 wrote to memory of 4928	4336	WINWORD.EXE	mshta.exe
PID 4336 wrote to memory of 4928	4336	WINWORD.EXE	mshta.exe
PID 4336 wrote to memory of 4928	4336	WINWORD.EXE	mshta.exe
PID 4928 wrote to memory of 400	4928	mshta.exe	regsvr32.exe
PID 4928 wrote to memory of 400	4928	mshta.exe	regsvr32.exe
PID 4928 wrote to memory of 400	4928	mshta.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate-010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaYouCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\seaLadyLine.jpg
3⤵
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\seaYouCaroline.hta
MD5
836cfe47fac47e317b075e1221957676

SHA1
5f55dd4c8572c8c5e52bafca8c89e1ad0d97e11f

SHA256
ae195755cd0ed8279ea7f7666a420fa45afb4863839999a3f541264213ffa175

SHA512
cf99e94fe171e8ee9df723b68105e197c79999eaa9dfde1a2bb7d456473c8ef2637f6b05495b9ad021bc60d5abd561794fd13833ed6e1e48e90307376c5b0585

Download Submit
\??\c:\users\public\seaLadyLine.jpg
MD5
504f2870481c875c03373249cdf38e49

SHA1
7f34068ef0f8b8208003aec1e2f6742125c47acf

SHA256
57ce0aa9c7767160043b7b4e0778043697ee1ee90c05409325a82007a7ef7c5f

SHA512
2c5e35de54a4f8658b01d144d5d1ba935cb851badcc96993492be298452ea7d0036bdfbc1d6e1091fecd074a400e31b53e1f7f4211bddf6d515bfbe6952535aa

Download Submit
memory/400-287-0x0000000000000000-mapping.dmp

Download
memory/4336-115-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmp

Filesize
64KB

Download
memory/4336-116-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmp

Filesize
64KB

Download
memory/4336-117-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmp

Filesize
64KB

Download
memory/4336-118-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmp

Filesize
64KB

Download
memory/4336-119-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmp

Filesize
8KB

Download
memory/4336-120-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmp

Filesize
8KB

Download
memory/4336-121-0x00007FFBF0C60000-0x00007FFBF0C70000-memory.dmp

Filesize
64KB

Download
memory/4336-122-0x00000210ADBA0000-0x00000210ADBA2000-memory.dmp

Filesize
8KB

Download
memory/4928-256-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads