Analysis
-
max time kernel
151s -
max time network
199s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 20:37
Static task
static1
Behavioral task
behavioral1
Sample
certificate.010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
certificate.010.21.doc
Resource
win10-en-20211014
General
-
Target
certificate.010.21.doc
-
Size
34KB
-
MD5
f58cbc77264954ce63205bdbaee93f25
-
SHA1
3b61d17939067fa6086c09260edd5951cc797e81
-
SHA256
2588782842cfb9bfe76b4516ad66aee020b5f5d90f74a91106840c4491c78cf8
-
SHA512
9e2a98e3418715b37ba02953c75828b85b818a9c140de97f4cc7164ae3a4f00a8537342d38c09051d94dfad0a60b8d7dd3d069a897100d4f1781c8fe012425a4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3776 3464 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 34 3776 mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3464 WINWORD.EXE 3464 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE 3464 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3464 wrote to memory of 3776 3464 WINWORD.EXE mshta.exe PID 3464 wrote to memory of 3776 3464 WINWORD.EXE mshta.exe PID 3464 wrote to memory of 3776 3464 WINWORD.EXE mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificate.010.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\redCaroline.htaMD5
57425688ce24cb6a11e916c881c6b98a
SHA16c9ee880af48620a12f5a6e289bceb799121d79a
SHA256ada29317ab1852485d22e6dd89b4623f10625c78937d4b360e9bdef3d1d099f5
SHA51217e64381274361bd421b4f7e700d69b8cf07fb0bc8e877aa9621661eb562f1e8f6aef1d2d6d0fb1ae494a23dddb24d561dc76065cf88ce3a8eda05d630193847
-
memory/3464-115-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3464-116-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3464-117-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3464-118-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3464-119-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmpFilesize
64KB
-
memory/3464-121-0x000001D168A40000-0x000001D168A42000-memory.dmpFilesize
8KB
-
memory/3464-120-0x000001D168A40000-0x000001D168A42000-memory.dmpFilesize
8KB
-
memory/3464-122-0x000001D168A40000-0x000001D168A42000-memory.dmpFilesize
8KB
-
memory/3776-256-0x0000000000000000-mapping.dmp