843661d700c0e43c57c40e3101f2bc262f97c399e70ee87353bea0690abffd49

Reason

Machine shutdown

General

Target

bluegriffon-3.1.win-x86_64.exe
Size

252.9MB
MD5

3e0a96da7e6a610a9090bf4285cbc1c5
SHA1

e368177fca5b4a61b3b69c94bc700c59f9df45ff
SHA256

843661d700c0e43c57c40e3101f2bc262f97c399e70ee87353bea0690abffd49
SHA512

9854da9bc836ee441aa0099a3adf5a301b29ba4d02a63bb2408ad135947a3edd86a1513d969a16d62ce7cf9aa6b22ecffbe031b473b6a341344c1cac53232576
SSDEEP

6291456:F4SKnBAxnvZEFW8HCjqbz4JHlDzJfHB9XlN:F4S6BApBEFWcCjq/SJNfh9H

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3184	3240	OfficeC2RClient.exe	94

Executes dropped EXE 1 IoCs

pid	Process
4692	bluegriffon-3.1.win-x86_64.tmp

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3036	5000	WerFault.exe	14

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3240	WINWORD.EXE
3240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	EXCEL.EXE
1524	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1524	EXCEL.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3240	WINWORD.EXE
3184	OfficeC2RClient.exe
4912	LogonUI.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4692	2704	bluegriffon-3.1.win-x86_64.exe	87
PID 2704 wrote to memory of 4692	2704	bluegriffon-3.1.win-x86_64.exe	87
PID 2704 wrote to memory of 4692	2704	bluegriffon-3.1.win-x86_64.exe	87
PID 3240 wrote to memory of 3184	3240	WINWORD.EXE	98
PID 3240 wrote to memory of 3184	3240	WINWORD.EXE	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bluegriffon-3.1.win-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\bluegriffon-3.1.win-x86_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\is-9SQ3H.tmp\bluegriffon-3.1.win-x86_64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9SQ3H.tmp\bluegriffon-3.1.win-x86_64.tmp" /SL5="$10224,264828450,196096,C:\Users\Admin\AppData\Local\Temp\bluegriffon-3.1.win-x86_64.exe"
  2⤵
  - Executes dropped EXE
  PID:4692

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\TestWatch.xltx"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnregisterWait.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /ChangeSetting updatesEnabled=True 16
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of SetWindowsHookEx
  PID:3184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5000 -ip 5000
1⤵
PID:2864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5000 -s 1608
1⤵
- Program crash
PID:3036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9SQ3H.tmp\bluegriffon-3.1.win-x86_64.tmp

Filesize
832KB

MD5
548bc65e0892244b07552335a47bf357

SHA1
67d26c0831166c21b1ca98608d67654b671f64c3

SHA256
813ff2625545b297d7cd302009882ad97704551fbf6529ba010fa75449a69811

SHA512
350dc62a6d7316387762856c628dcf29f45b9849ba6918c77775346480c2eb2dd20bfc7023c23c90a101c5f457eac7498c7957d0d025737b1ade346c5f0e6abd

Download Submit
memory/1524-137-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-162-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-136-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-133-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-138-0x00007FF864C80000-0x00007FF864C90000-memory.dmp

Filesize
64KB

Download
memory/1524-139-0x00007FF864C80000-0x00007FF864C90000-memory.dmp

Filesize
64KB

Download
memory/1524-135-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-164-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-166-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-163-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/1524-134-0x00007FF8672B0000-0x00007FF8672C0000-memory.dmp

Filesize
64KB

Download
memory/2704-153-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4692-151-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4692-150-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads