Overview

overview

10

Static

static

8

ฺฺฺK...¸ºà¸ºL

linux_armhf

ฺฺฺK...¸ºà¸º1

windows10_x64

10

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ฺฺ

android_x86_64

Analysis

  • max time kernel
    1743s
  • max time network
    1743s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-11-2020 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc

  • Size

    322KB

  • MD5

    06ba06269873237b18c23a82da59f492

  • SHA1

    d18f046a0fdbefb79ec85a22404e402e6e56f2bf

  • SHA256

    dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95

  • SHA512

    549136d02ab9d15f3aa493bf683bf5a3319d88bd990588992854d7dc6dd44047c33695c3bb322beb384fc957913212c6f073e24576729e60776f8df2ef4fa0d4

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 16 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2400
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
          3⤵
          • Blacklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      9b07094151ee3ee8b82a62a1f1052ae6

      SHA1

      fc90744ed68c018a8974322a355afc9aeb55c298

      SHA256

      f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3

      SHA512

      1fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee

      Download Submit
    • \Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      9b07094151ee3ee8b82a62a1f1052ae6

      SHA1

      fc90744ed68c018a8974322a355afc9aeb55c298

      SHA256

      f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3

      SHA512

      1fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee

      Download Submit
    • memory/580-0-0x00007FFC30380000-0x00007FFC309B7000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/580-14-0x000001CDD3C00000-0x000001CDD3C04000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2064-12-0x0000000000000000-mapping.dmp
      Download
    • memory/2400-5-0x0000000000000000-mapping.dmp
      Download
    • memory/2400-6-0x0000000002790000-0x0000000002791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2400-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2400-8-0x0000000003050000-0x0000000003051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2856-10-0x0000000000000000-mapping.dmp
      Download