Analysis
-
max time kernel
297s -
max time network
299s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 07:45
Static task
static1
Behavioral task
behavioral1
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral2
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
win10v20201028
Behavioral task
behavioral3
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
win10v20201028
Behavioral task
behavioral4
Sample
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Resource
android-x86_64_arm64
General
-
Target
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
-
Size
322KB
-
MD5
06ba06269873237b18c23a82da59f492
-
SHA1
d18f046a0fdbefb79ec85a22404e402e6e56f2bf
-
SHA256
dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95
-
SHA512
549136d02ab9d15f3aa493bf683bf5a3319d88bd990588992854d7dc6dd44047c33695c3bb322beb384fc957913212c6f073e24576729e60776f8df2ef4fa0d4
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3592 3988 rundll32.exe WINWORD.EXE -
Blacklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 28 4040 rundll32.exe 30 4040 rundll32.exe 36 4040 rundll32.exe 40 4040 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4040 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{59A42A7B-188E-4DD5-A027-2203E4D8BCC6}\ya.wav:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3988 WINWORD.EXE 3988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 3988 wrote to memory of 3508 3988 WINWORD.EXE splwow64.exe PID 3988 wrote to memory of 3508 3988 WINWORD.EXE splwow64.exe PID 3988 wrote to memory of 3592 3988 WINWORD.EXE rundll32.exe PID 3988 wrote to memory of 3592 3988 WINWORD.EXE rundll32.exe PID 3592 wrote to memory of 4040 3592 rundll32.exe rundll32.exe PID 3592 wrote to memory of 4040 3592 rundll32.exe rundll32.exe PID 3592 wrote to memory of 4040 3592 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
9b07094151ee3ee8b82a62a1f1052ae6
SHA1fc90744ed68c018a8974322a355afc9aeb55c298
SHA256f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3
SHA5121fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
9b07094151ee3ee8b82a62a1f1052ae6
SHA1fc90744ed68c018a8974322a355afc9aeb55c298
SHA256f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3
SHA5121fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee
-
memory/3508-7-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/3508-8-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/3508-5-0x0000000000000000-mapping.dmp
-
memory/3508-6-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/3592-11-0x0000000000000000-mapping.dmp
-
memory/3988-3-0x000002C813A9C000-0x000002C813AA1000-memory.dmpFilesize
20KB
-
memory/3988-4-0x000002C813A9C000-0x000002C813AA1000-memory.dmpFilesize
20KB
-
memory/3988-10-0x000002C813A9C000-0x000002C813AA1000-memory.dmpFilesize
20KB
-
memory/3988-0-0x00007FFCBBD40000-0x00007FFCBC377000-memory.dmpFilesize
6.2MB
-
memory/3988-2-0x000002C813A9B000-0x000002C813A9C000-memory.dmpFilesize
4KB
-
memory/3988-1-0x000002C813A9C000-0x000002C813AA1000-memory.dmpFilesize
20KB
-
memory/4040-13-0x0000000000000000-mapping.dmp