Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc
Resource
win10v2004-20220414-en
General
-
Target
5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc
-
Size
509KB
-
MD5
1cc3e165448a1507ce5e59b18a7de037
-
SHA1
1f88a72ea7e6819edbe8af361e2258d661fc9ea5
-
SHA256
5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776
-
SHA512
c01b6cd16f7075882250f8fa4bda864e8f7373afae637118ac20b6d3ffd9a371a46f9df86eedd69a7df63d867f0cd8714fc317e54e722dd6f5a348cd16f4861f
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
notepad.exeWMIC.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4092 1616 notepad.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4604 1616 WMIC.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4092 notepad.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1616 WINWORD.EXE 1616 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
WMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe Token: SeIncreaseQuotaPrivilege 4604 WMIC.exe Token: SeSecurityPrivilege 4604 WMIC.exe Token: SeTakeOwnershipPrivilege 4604 WMIC.exe Token: SeLoadDriverPrivilege 4604 WMIC.exe Token: SeSystemProfilePrivilege 4604 WMIC.exe Token: SeSystemtimePrivilege 4604 WMIC.exe Token: SeProfSingleProcessPrivilege 4604 WMIC.exe Token: SeIncBasePriorityPrivilege 4604 WMIC.exe Token: SeCreatePagefilePrivilege 4604 WMIC.exe Token: SeBackupPrivilege 4604 WMIC.exe Token: SeRestorePrivilege 4604 WMIC.exe Token: SeShutdownPrivilege 4604 WMIC.exe Token: SeDebugPrivilege 4604 WMIC.exe Token: SeSystemEnvironmentPrivilege 4604 WMIC.exe Token: SeRemoteShutdownPrivilege 4604 WMIC.exe Token: SeUndockPrivilege 4604 WMIC.exe Token: SeManageVolumePrivilege 4604 WMIC.exe Token: 33 4604 WMIC.exe Token: 34 4604 WMIC.exe Token: 35 4604 WMIC.exe Token: 36 4604 WMIC.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1616 wrote to memory of 4092 1616 WINWORD.EXE notepad.exe PID 1616 wrote to memory of 4092 1616 WINWORD.EXE notepad.exe PID 1616 wrote to memory of 4604 1616 WINWORD.EXE WMIC.exe PID 1616 wrote to memory of 4604 1616 WINWORD.EXE WMIC.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5740597cab760481789304022438aac74fc44994073c340b08577ee582dba776.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txt2⤵
- Process spawned unexpected child process
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe"2⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\and_agreeable_surprise.txtFilesize
7KB
MD53d7e774c6fed5ea2f050b6c8a3d26392
SHA148d0a0060de4bc856f250e80e56d102ad2b261d1
SHA256b1a4b4aa4387e862963c207cff2f3c7db1d56a497f69531151017aeb2ae11ccc
SHA5121678e4794ca71b94c1ee15fda6d20b85937afb2a66d3fc6a30600f166ca8becfd009cd3f96fe2f4067451ef94e2969b94890ce2125b8abd5e30b0d806e4d1875
-
memory/1616-130-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmpFilesize
64KB
-
memory/1616-131-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmpFilesize
64KB
-
memory/1616-132-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmpFilesize
64KB
-
memory/1616-133-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmpFilesize
64KB
-
memory/1616-134-0x00007FF7D9CF0000-0x00007FF7D9D00000-memory.dmpFilesize
64KB
-
memory/1616-135-0x00007FF7D7840000-0x00007FF7D7850000-memory.dmpFilesize
64KB
-
memory/1616-136-0x00007FF7D7840000-0x00007FF7D7850000-memory.dmpFilesize
64KB
-
memory/1616-139-0x00000270A379E000-0x00000270A37A0000-memory.dmpFilesize
8KB
-
memory/4092-137-0x0000000000000000-mapping.dmp
-
memory/4604-140-0x0000000000000000-mapping.dmp