Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:08

General

  • Target

    5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc

  • Size

    509KB

  • MD5

    1cc3e165448a1507ce5e59b18a7de037

  • SHA1

    1f88a72ea7e6819edbe8af361e2258d661fc9ea5

  • SHA256

    5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776

  • SHA512

    c01b6cd16f7075882250f8fa4bda864e8f7373afae637118ac20b6d3ffd9a371a46f9df86eedd69a7df63d867f0cd8714fc317e54e722dd6f5a348cd16f4861f

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
      2⤵
      • Process spawned unexpected child process
      • Opens file in notepad (likely ransom note)
      PID:4092
    • C:\Windows\System32\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of AdjustPrivilegeToken
      PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt
    Filesize

    7KB

    MD5

    3d7e774c6fed5ea2f050b6c8a3d26392

    SHA1

    48d0a0060de4bc856f250e80e56d102ad2b261d1

    SHA256

    b1a4b4aa4387e862963c207cff2f3c7db1d56a497f69531151017aeb2ae11ccc

    SHA512

    1678e4794ca71b94c1ee15fda6d20b85937afb2a66d3fc6a30600f166ca8becfd009cd3f96fe2f4067451ef94e2969b94890ce2125b8abd5e30b0d806e4d1875

  • memory/1616-130-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmp
    Filesize

    64KB

  • memory/1616-131-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmp
    Filesize

    64KB

  • memory/1616-132-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmp
    Filesize

    64KB

  • memory/1616-133-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmp
    Filesize

    64KB

  • memory/1616-134-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmp
    Filesize

    64KB

  • memory/1616-135-0x00007FF7D7840000-0x00007FF7D7850000-memory.dmp
    Filesize

    64KB

  • memory/1616-136-0x00007FF7D7840000-0x00007FF7D7850000-memory.dmp
    Filesize

    64KB

  • memory/1616-139-0x00000270A379E000-0x00000270A37A0000-memory.dmp
    Filesize

    8KB

  • memory/4092-137-0x0000000000000000-mapping.dmp
  • memory/4604-140-0x0000000000000000-mapping.dmp