Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
ordinare 07.08.2020.doc
Resource
win7
Behavioral task
behavioral2
Sample
ordinare 07.08.2020.doc
Resource
win10v200430
General
-
Target
ordinare 07.08.2020.doc
-
Size
147KB
-
MD5
10cb72a11b08464287de4f6386aa1804
-
SHA1
79fd474a39128136b5d056c2e52d4d573d59a330
-
SHA256
d21916b27b5efdd803201119c97e5318019fff9715a428ec3ca7ded7c86e6e4c
-
SHA512
92febdea66347122623e346466367b23deda4c4947a590466ff6730154b2743cb1f237cf7cd4915af1e0ca0c993133cfc615c1b6c0224cd342e7e3d6b2776361
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1520 wrote to memory of 3888 1520 WINWORD.EXE regsvr32.exe PID 1520 wrote to memory of 3888 1520 WINWORD.EXE regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3888 1520 regsvr32.exe WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordinare 07.08.2020.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" V0.tmp2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-0-0x0000026EED4DC000-0x0000026EED4DD000-memory.dmpFilesize
4KB
-
memory/1520-1-0x0000026EED4DD000-0x0000026EED4E2000-memory.dmpFilesize
20KB
-
memory/1520-2-0x0000026EED4DD000-0x0000026EED4E2000-memory.dmpFilesize
20KB
-
memory/3888-3-0x0000000000000000-mapping.dmp