66f8131b30c926ba68558b4976f46447ea24116c55249e7bcac6dd23a6cb3224

General

Target

certificate.010.21.doc
Size

34KB
MD5

f58cbc77264954ce63205bdbaee93f25
SHA1

3b61d17939067fa6086c09260edd5951cc797e81
SHA256

2588782842cfb9bfe76b4516ad66aee020b5f5d90f74a91106840c4491c78cf8
SHA512

9e2a98e3418715b37ba02953c75828b85b818a9c140de97f4cc7164ae3a4f00a8537342d38c09051d94dfad0a60b8d7dd3d069a897100d4f1781c8fe012425a4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3776	3464	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

34 3776 mshta.exe

flow	pid	process
34	3776	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3464 WINWORD.EXE
3464 WINWORD.EXE

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXE

pid	process
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3464 wrote to memory of 3776	3464	WINWORD.EXE	mshta.exe
PID 3464 wrote to memory of 3776	3464	WINWORD.EXE	mshta.exe
PID 3464 wrote to memory of 3776	3464	WINWORD.EXE	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificate.010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redCaroline.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\redCaroline.hta
MD5
57425688ce24cb6a11e916c881c6b98a

SHA1
6c9ee880af48620a12f5a6e289bceb799121d79a

SHA256
ada29317ab1852485d22e6dd89b4623f10625c78937d4b360e9bdef3d1d099f5

SHA512
17e64381274361bd421b4f7e700d69b8cf07fb0bc8e877aa9621661eb562f1e8f6aef1d2d6d0fb1ae494a23dddb24d561dc76065cf88ce3a8eda05d630193847

Download Submit
memory/3464-115-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3464-116-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3464-117-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3464-118-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3464-119-0x00007FFB887E0000-0x00007FFB887F0000-memory.dmp

Filesize
64KB

Download
memory/3464-121-0x000001D168A40000-0x000001D168A42000-memory.dmp

Filesize
8KB

Download
memory/3464-120-0x000001D168A40000-0x000001D168A42000-memory.dmp

Filesize
8KB

Download
memory/3464-122-0x000001D168A40000-0x000001D168A42000-memory.dmp

Filesize
8KB

Download
memory/3776-256-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads