c3a59ff2bf7e39ce991568f3a1f159dcd10bc1f10312214397b73d2978f3ff9b

Resubmissions

20-11-2020 19:03

201120-cx5fwpl1we 10

20-11-2020 18:56

201120-qq16sh22ka 10

Analysis

max time kernel
139s
max time network
132s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patent_656419797_as-of-27thJune2020.doc
Size

1006KB
MD5

45df50ea19045aa1d48ee962246c8c56
SHA1

86d00261ba88265bdd6b27ca76c44e2769c5088e
SHA256

cf577313173f345525aff5b7efe4c709507da92a9c9211559f6ff6af00db44b2
SHA512

262d148ed613ad6659c9f186537a50c8228182c58616de8b03687389ade4541e2cb829eee99a86b89c69af7e4d854e38813a030b528cb83f1fdefca96beb9bf4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3584	580	cmd.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

580 WINWORD.EXE
580 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE
580	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 580 wrote to memory of 3584	580	WINWORD.EXE	cmd.exe
PID 580 wrote to memory of 3584	580	WINWORD.EXE	cmd.exe
PID 3584 wrote to memory of 2720	3584	cmd.exe	certutil.exe
PID 3584 wrote to memory of 2720	3584	cmd.exe	certutil.exe
PID 3584 wrote to memory of 1528	3584	cmd.exe	certutil.exe
PID 3584 wrote to memory of 1528	3584	cmd.exe	certutil.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Patent_656419797_as-of-27thJune2020.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Exerwa\decode.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\certutil.exe
certutil -f -decode exec.enc exec.exe
3⤵
PID:2720

C:\Windows\system32\certutil.exe
certutil -f -decode script.enc script.ps1
3⤵
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Exerwa\decode.bat
MD5
b23aef1dc2efba86507c2a2362cac823

SHA1
e3e22cf384dc9c61589802580ee4042f544053de

SHA256
9cc0e973845f934fdcf821389dc436a77b77808800763fdcafd546485e2e4b5d

SHA512
2e1cda89597e9e63355df3fe14d37b947b5177dd9df0eca1d1ba0afe0332931d144ca6536117e60f32a77a36ab60fb40a6f155c49bc0b004c1f287a5393289ed

Download Submit
C:\Users\Admin\Exerwa\exec.enc
MD5
4afd8a3e4bf79997089aa0e933a0ccda

SHA1
a3c6ea66eb49ec907bd8ed0fabe6694df3649922

SHA256
623ac62cbcddfbf29c349bcbadee6e4dfaf4fb5fffa3a656e8c9cb3e0d8465e0

SHA512
e7a4391fb931a4b5c35b6a446a82d77d7e60b241b911033198ac9b9373cd468b8ae673fc74a850b91b5bf1f0c1b1c07e65f6a3049e52a5ad1fd13b518c2bda00

Download Submit
C:\Users\Admin\Exerwa\script.enc
MD5
04b01b253c4f9bff1039a31190155309

SHA1
2f4d2b7714d6332cb6634d9f7724c70bee3a74cd

SHA256
1e7370f3c2a51a7c64ecad889f0cf09f21403e860a4af953ce8589761804ce6a

SHA512
d33f9d9dc8f1da1e27ca6c094c7292c52afaa62536c6c73b9f558c20298e27f1fad029368fe93bc42ae1da6f8eeb953d46f71050131703f2e97dfb0e5691b0e3

Download Submit
memory/580-0-0x000001EB4E020000-0x000001EB4E657000-memory.dmp

Filesize
6.2MB

Download
memory/1528-10-0x0000000000000000-mapping.dmp

Download
memory/2720-8-0x0000000000000000-mapping.dmp

Download
memory/3584-6-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads