d312c079c51f2bf011902df86e1ca4cac84eb7c74ff104fa48a505caa88ef2fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

challenge-files/challenge-files/docs 06.02.2021.docm
Size

43KB
MD5

f08771b9fdfe82caaa089641e2348c8e
SHA1

b02c121597c9d56d7fab76b54834d5f3bd961e8c
SHA256

cc721111b5924cfeb91440ecaccc60ecc30d10fffbdab262f7c0a17027f527d1
SHA512

3bb2b582e7119c346473f78056f95e0890a3e74976de733739af9aaef810c4e62b35d7f81ec52acfbf675d3d501a048a36fa323ef76ee8843502424211b46ebd
SSDEEP

768:u5WkgUEeFPIlj5oQ0fUDjxXSwU/+BtgKpyAAlQg6DPLFXS:plekVoQTCFmgKpslepC

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description pid pid_target process target process

Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3652 460 explorer.exe WINWORD.EXE
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2140 2072 WerFault.exe mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3652	460	explorer.exe	WINWORD.EXE

pid	pid_target	process	target process
2140	2072	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

460 WINWORD.EXE
460 WINWORD.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE
460 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	explorer.exe

pid	process
460	WINWORD.EXE
460	WINWORD.EXE

pid	process
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE
460	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXEexplorer.exe

description	pid	process	target process
PID 460 wrote to memory of 3652	460	WINWORD.EXE	explorer.exe
PID 460 wrote to memory of 3652	460	WINWORD.EXE	explorer.exe
PID 1316 wrote to memory of 2072	1316	explorer.exe	mshta.exe
PID 1316 wrote to memory of 2072	1316	explorer.exe	mshta.exe
PID 1316 wrote to memory of 2072	1316	explorer.exe	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\docs 06.02.2021.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\explorer.exe
explorer collectionBoxConst.hta
2⤵
- Process spawned unexpected child process
PID:3652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\collectionBoxConst.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1352
3⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2072 -ip 2072
1⤵
PID:4980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD92A1.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\challenge-files\challenge-files\collectionBoxConst.hta
Filesize
3KB

MD5
99a1a4391c6be3ac5f137c0a092d8edd

SHA1
34afc663a569d0ba183c73ab40ae8d682273d193

SHA256
b25865183c5cd2c5e550aca8476e592b62ed3e37e6b628f955bbed454fdbb100

SHA512
45e5b38d72add4d28234b539071a3cb4059c9c104b5389a43190fd3197843e103fdaf7552c1edcb9bbbabe15b122a8bef0389ce39d6130b438a835c4c2d4f345

Download Submit
memory/460-15-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-551-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-5-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-6-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-7-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-4-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-26-0x000002D659B10000-0x000002D65A310000-memory.dmp

Filesize
8.0MB

Download
memory/460-9-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-10-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-11-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-12-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-13-0x00007FFC4EB90000-0x00007FFC4EBA0000-memory.dmp

Filesize
64KB

Download
memory/460-14-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-16-0x00007FFC4EB90000-0x00007FFC4EBA0000-memory.dmp

Filesize
64KB

Download
memory/460-552-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-0-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-8-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-27-0x000002D65DBC0000-0x000002D65EB90000-memory.dmp

Filesize
15.8MB

Download
memory/460-29-0x000002D65DBC0000-0x000002D65EB90000-memory.dmp

Filesize
15.8MB

Download
memory/460-1-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-2-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-512-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-522-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-523-0x000002D659B10000-0x000002D65A310000-memory.dmp

Filesize
8.0MB

Download
memory/460-524-0x000002D65DBC0000-0x000002D65EB90000-memory.dmp

Filesize
15.8MB

Download
memory/460-525-0x000002D65DBC0000-0x000002D65EB90000-memory.dmp

Filesize
15.8MB

Download
memory/460-548-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-549-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-550-0x00007FFC510F0000-0x00007FFC51100000-memory.dmp

Filesize
64KB

Download
memory/460-17-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-553-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download
memory/460-3-0x00007FFC91070000-0x00007FFC91265000-memory.dmp

Filesize
2.0MB

Download