Analysis
-
max time kernel
1743s -
max time network
1743s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 07:45
Static task
static1
Behavioral task
behavioral1
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral2
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
win10v20201028
Behavioral task
behavioral4
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
android-x86_64_arm64
General
-
Target
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
-
Size
322KB
-
MD5
06ba06269873237b18c23a82da59f492
-
SHA1
d18f046a0fdbefb79ec85a22404e402e6e56f2bf
-
SHA256
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95
-
SHA512
549136d02ab9d15f3aa493bf683bf5a3319d88bd990588992854d7dc6dd44047c33695c3bb322beb384fc957913212c6f073e24576729e60776f8df2ef4fa0d4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2856 580 rundll32.exe WINWORD.EXE -
Blacklisted process makes network request 16 IoCs
Processes:
rundll32.exeflow pid process 28 2064 rundll32.exe 30 2064 rundll32.exe 35 2064 rundll32.exe 39 2064 rundll32.exe 41 2064 rundll32.exe 42 2064 rundll32.exe 43 2064 rundll32.exe 44 2064 rundll32.exe 45 2064 rundll32.exe 46 2064 rundll32.exe 47 2064 rundll32.exe 48 2064 rundll32.exe 49 2064 rundll32.exe 50 2064 rundll32.exe 51 2064 rundll32.exe 52 2064 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2064 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{797B042C-D771-479D-A538-F9255EB54604}\ya.wav:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
rundll32.exepid process 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe 2064 rundll32.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 580 wrote to memory of 2400 580 WINWORD.EXE splwow64.exe PID 580 wrote to memory of 2400 580 WINWORD.EXE splwow64.exe PID 580 wrote to memory of 2856 580 WINWORD.EXE rundll32.exe PID 580 wrote to memory of 2856 580 WINWORD.EXE rundll32.exe PID 2856 wrote to memory of 2064 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2064 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2064 2856 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
9b07094151ee3ee8b82a62a1f1052ae6
SHA1fc90744ed68c018a8974322a355afc9aeb55c298
SHA256f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3
SHA5121fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
9b07094151ee3ee8b82a62a1f1052ae6
SHA1fc90744ed68c018a8974322a355afc9aeb55c298
SHA256f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3
SHA5121fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee
-
memory/580-0-0x00007FFC30380000-0x00007FFC309B7000-memory.dmpFilesize
6.2MB
-
memory/580-14-0x000001CDD3C00000-0x000001CDD3C04000-memory.dmpFilesize
16KB
-
memory/2064-12-0x0000000000000000-mapping.dmp
-
memory/2400-5-0x0000000000000000-mapping.dmp
-
memory/2400-6-0x0000000002790000-0x0000000002791000-memory.dmpFilesize
4KB
-
memory/2400-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/2400-8-0x0000000003050000-0x0000000003051000-memory.dmpFilesize
4KB
-
memory/2856-10-0x0000000000000000-mapping.dmp