Analysis
-
max time kernel
149s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 17:21
Static task
static1
Behavioral task
behavioral1
Sample
documents.010.21.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
documents.010.21.doc
Resource
win10-en-20210920
General
-
Target
documents.010.21.doc
-
Size
34KB
-
MD5
f869be235ac0196ca99e14cc06486306
-
SHA1
2bfd9a48321eef1e2458caf1559080aa213cadf4
-
SHA256
1b69a8362748d0d810262dd461bdb1bb778273f2760071bc773fe98b4f510cb4
-
SHA512
658622b3e5942421f7f062628ff5328242c07057ac450210b46977cc8d5684f2bdf87687b8e1023d8b6c7b5661710546be6ae2e9016f7fc9a0afee92bd1f9a31
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 956 4372 mshta.exe WINWORD.EXE -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2636 created 2888 2636 regsvr32.exe Explorer.EXE -
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2636-292-0x0000000180001000-0x0000000180030000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 24 956 mshta.exe -
Downloads MZ/PE file
-
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 68 whitestorm9p.bazar 66 reddew28c.bazar 67 bluehail.bazar -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exepid process 2844 regsvr32.exe 2636 regsvr32.exe 1460 regsvr32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2636 set thread context of 2172 2636 regsvr32.exe chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4372 WINWORD.EXE 4372 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2636 regsvr32.exe 2636 regsvr32.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEmshta.exeregsvr32.exeregsvr32.exedescription pid process target process PID 4372 wrote to memory of 956 4372 WINWORD.EXE mshta.exe PID 4372 wrote to memory of 956 4372 WINWORD.EXE mshta.exe PID 4372 wrote to memory of 956 4372 WINWORD.EXE mshta.exe PID 956 wrote to memory of 2844 956 mshta.exe regsvr32.exe PID 956 wrote to memory of 2844 956 mshta.exe regsvr32.exe PID 956 wrote to memory of 2844 956 mshta.exe regsvr32.exe PID 2844 wrote to memory of 2636 2844 regsvr32.exe regsvr32.exe PID 2844 wrote to memory of 2636 2844 regsvr32.exe regsvr32.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe PID 2636 wrote to memory of 2172 2636 regsvr32.exe chrome.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documents.010.21.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\myLadyYou.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\youMySea.jpg4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\youMySea.jpg5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32 /s "c:\users\public\youMySea.jpg"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\myLadyYou.htaMD5
c61438c62ed2365acf96666d60693f7f
SHA1fb6a583b20018529b1a582aefed72610ebee0e15
SHA2567000ec866763706f0244525b0951606dd9a18f3acfb338b13cc8b4ef437a814f
SHA5129d11669828022f409f68623a3a29343b11b78d3449b099439f23b1b00785209496776dbae5c7dd310af2306bfb673e9e118dd200a82a7146c51ff716ac694c0c
-
\??\c:\users\public\youMySea.jpgMD5
8920656d448e25e9a44bf97c95f4454c
SHA1820b95ffd2a65dfadf76405e7e48954738151d55
SHA256b468617dec01544aac64ee7ca16e16094a4eb2905eb0845e600eb6b4ad849843
SHA5124a1e1b97de9687cc4ca8f74a2fa47ee5157e67fd98d0fee7db5391b28f2d0036405daa7401b29cdc2938ddd55fd29d2ad9b0c994eb1373747ed2b98e8c3909c2
-
\Users\Public\youMySea.jpgMD5
8920656d448e25e9a44bf97c95f4454c
SHA1820b95ffd2a65dfadf76405e7e48954738151d55
SHA256b468617dec01544aac64ee7ca16e16094a4eb2905eb0845e600eb6b4ad849843
SHA5124a1e1b97de9687cc4ca8f74a2fa47ee5157e67fd98d0fee7db5391b28f2d0036405daa7401b29cdc2938ddd55fd29d2ad9b0c994eb1373747ed2b98e8c3909c2
-
\Users\Public\youMySea.jpgMD5
8920656d448e25e9a44bf97c95f4454c
SHA1820b95ffd2a65dfadf76405e7e48954738151d55
SHA256b468617dec01544aac64ee7ca16e16094a4eb2905eb0845e600eb6b4ad849843
SHA5124a1e1b97de9687cc4ca8f74a2fa47ee5157e67fd98d0fee7db5391b28f2d0036405daa7401b29cdc2938ddd55fd29d2ad9b0c994eb1373747ed2b98e8c3909c2
-
\Users\Public\youMySea.jpgMD5
8920656d448e25e9a44bf97c95f4454c
SHA1820b95ffd2a65dfadf76405e7e48954738151d55
SHA256b468617dec01544aac64ee7ca16e16094a4eb2905eb0845e600eb6b4ad849843
SHA5124a1e1b97de9687cc4ca8f74a2fa47ee5157e67fd98d0fee7db5391b28f2d0036405daa7401b29cdc2938ddd55fd29d2ad9b0c994eb1373747ed2b98e8c3909c2
-
memory/956-260-0x0000000000000000-mapping.dmp
-
memory/2636-284-0x0000000000000000-mapping.dmp
-
memory/2636-292-0x0000000180001000-0x0000000180030000-memory.dmpFilesize
188KB
-
memory/2844-281-0x0000000000000000-mapping.dmp
-
memory/4372-121-0x00007FFBABDA0000-0x00007FFBABDB0000-memory.dmpFilesize
64KB
-
memory/4372-122-0x0000025D7B370000-0x0000025D7B372000-memory.dmpFilesize
8KB
-
memory/4372-115-0x00007FFBABDA0000-0x00007FFBABDB0000-memory.dmpFilesize
64KB
-
memory/4372-120-0x0000025D7B370000-0x0000025D7B372000-memory.dmpFilesize
8KB
-
memory/4372-119-0x0000025D7B370000-0x0000025D7B372000-memory.dmpFilesize
8KB
-
memory/4372-118-0x00007FFBABDA0000-0x00007FFBABDB0000-memory.dmpFilesize
64KB
-
memory/4372-117-0x00007FFBABDA0000-0x00007FFBABDB0000-memory.dmpFilesize
64KB
-
memory/4372-116-0x00007FFBABDA0000-0x00007FFBABDB0000-memory.dmpFilesize
64KB