Analysis
-
max time kernel
139s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 19:03
Static task
static1
Behavioral task
behavioral1
Sample
Patent_656419797_as-of-27thJune2020.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Patent_656419797_as-of-27thJune2020.doc
Resource
win10v20201028
General
-
Target
Patent_656419797_as-of-27thJune2020.doc
-
Size
1006KB
-
MD5
45df50ea19045aa1d48ee962246c8c56
-
SHA1
86d00261ba88265bdd6b27ca76c44e2769c5088e
-
SHA256
cf577313173f345525aff5b7efe4c709507da92a9c9211559f6ff6af00db44b2
-
SHA512
262d148ed613ad6659c9f186537a50c8228182c58616de8b03687389ade4541e2cb829eee99a86b89c69af7e4d854e38813a030b528cb83f1fdefca96beb9bf4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3584 580 cmd.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 580 wrote to memory of 3584 580 WINWORD.EXE cmd.exe PID 580 wrote to memory of 3584 580 WINWORD.EXE cmd.exe PID 3584 wrote to memory of 2720 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 2720 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 1528 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 1528 3584 cmd.exe certutil.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Patent_656419797_as-of-27thJune2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Exerwa\decode.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -f -decode exec.enc exec.exe3⤵
-
C:\Windows\system32\certutil.execertutil -f -decode script.enc script.ps13⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Exerwa\decode.batMD5
b23aef1dc2efba86507c2a2362cac823
SHA1e3e22cf384dc9c61589802580ee4042f544053de
SHA2569cc0e973845f934fdcf821389dc436a77b77808800763fdcafd546485e2e4b5d
SHA5122e1cda89597e9e63355df3fe14d37b947b5177dd9df0eca1d1ba0afe0332931d144ca6536117e60f32a77a36ab60fb40a6f155c49bc0b004c1f287a5393289ed
-
C:\Users\Admin\Exerwa\exec.encMD5
4afd8a3e4bf79997089aa0e933a0ccda
SHA1a3c6ea66eb49ec907bd8ed0fabe6694df3649922
SHA256623ac62cbcddfbf29c349bcbadee6e4dfaf4fb5fffa3a656e8c9cb3e0d8465e0
SHA512e7a4391fb931a4b5c35b6a446a82d77d7e60b241b911033198ac9b9373cd468b8ae673fc74a850b91b5bf1f0c1b1c07e65f6a3049e52a5ad1fd13b518c2bda00
-
C:\Users\Admin\Exerwa\script.encMD5
04b01b253c4f9bff1039a31190155309
SHA12f4d2b7714d6332cb6634d9f7724c70bee3a74cd
SHA2561e7370f3c2a51a7c64ecad889f0cf09f21403e860a4af953ce8589761804ce6a
SHA512d33f9d9dc8f1da1e27ca6c094c7292c52afaa62536c6c73b9f558c20298e27f1fad029368fe93bc42ae1da6f8eeb953d46f71050131703f2e97dfb0e5691b0e3
-
memory/580-0-0x000001EB4E020000-0x000001EB4E657000-memory.dmpFilesize
6.2MB
-
memory/1528-10-0x0000000000000000-mapping.dmp
-
memory/2720-8-0x0000000000000000-mapping.dmp
-
memory/3584-6-0x0000000000000000-mapping.dmp