1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060

Resubmissions

22-10-2021 16:01

211022-tf86cacgbk 10

20-10-2021 20:51

211020-zncp1aheh9 10

Analysis

max time kernel
119s
max time network
136s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dictate 010.21.doc
Size

34KB
MD5

3128a1aa061355d275cd323336148c4a
SHA1

63b5fba4691c68f0c268fd65b6dda64150b4facc
SHA256

1cdae1a82f4320ba429c8aa6cb7b9236bae8edcf5fe67b79242aa0dcce157060
SHA512

04d1e8e2b360a87f2e37a1d036cd415c4078546577cdc02528e1f32c64df917b86bb95a011e8b36eed30d3c18bf1633db458feb5140c28e076c2b170f621559a

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	836	3496	mshta.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3496 WINWORD.EXE
3496 WINWORD.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXE

pid	process
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE
3496	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 3496 wrote to memory of 836	3496	WINWORD.EXE	mshta.exe
PID 3496 wrote to memory of 836	3496	WINWORD.EXE	mshta.exe
PID 3496 wrote to memory of 836	3496	WINWORD.EXE	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate 010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\redKingIn.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\redKingIn.hta
MD5
fde6308f2d09731ef8c3457908ab41f3

SHA1
ff38e422ee794d25942fd01363154f6afd2039fa

SHA256
8f3d9dcbdd0b408eca4f7224a5f900ce86e3c9400ff96cc427a8c2a9c7105370

SHA512
405b0a6fb6b8930519263537ff673e42fb13eee54e14622229cf3d16187ee7512270f72c220501f26cc49a41c46c101a180045b59e7130dfa8bdf0df20144993

Download Submit
memory/836-258-0x0000000000000000-mapping.dmp

Download
memory/3496-116-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

Filesize
64KB

Download
memory/3496-117-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

Filesize
64KB

Download
memory/3496-118-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

Filesize
64KB

Download
memory/3496-119-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

Filesize
64KB

Download
memory/3496-120-0x00007FFD2B5F0000-0x00007FFD2B600000-memory.dmp

Filesize
64KB

Download
memory/3496-122-0x000001E7C8B90000-0x000001E7C8B92000-memory.dmp

Filesize
8KB

Download
memory/3496-121-0x000001E7C8B90000-0x000001E7C8B92000-memory.dmp

Filesize
8KB

Download
memory/3496-123-0x000001E7C8B90000-0x000001E7C8B92000-memory.dmp

Filesize
8KB

Download