9301cf300ecde152a6d63416e4ea91692ecd7ccd73cfe01cd703e05a01e9ad48

General

Target

dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc
Size

322KB
MD5

06ba06269873237b18c23a82da59f492
SHA1

d18f046a0fdbefb79ec85a22404e402e6e56f2bf
SHA256

dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95
SHA512

549136d02ab9d15f3aa493bf683bf5a3319d88bd990588992854d7dc6dd44047c33695c3bb322beb384fc957913212c6f073e24576729e60776f8df2ef4fa0d4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3592	3988	rundll32.exe	WINWORD.EXE

Blacklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

28 4040 rundll32.exe
30 4040 rundll32.exe
36 4040 rundll32.exe
40 4040 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4040 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.ipify.org

flow	pid	process
28	4040	rundll32.exe
30	4040	rundll32.exe
36	4040	rundll32.exe
40	4040	rundll32.exe

pid	process
4040	rundll32.exe

flow	ioc
27	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{59A42A7B-188E-4DD5-A027-2203E4D8BCC6}\ya.wav:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3988 WINWORD.EXE
3988 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

4040 rundll32.exe
4040 rundll32.exe
4040 rundll32.exe
4040 rundll32.exe
4040 rundll32.exe
4040 rundll32.exe

pid	process
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE
3988	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 3988 wrote to memory of 3508	3988	WINWORD.EXE	splwow64.exe
PID 3988 wrote to memory of 3508	3988	WINWORD.EXE	splwow64.exe
PID 3988 wrote to memory of 3592	3988	WINWORD.EXE	rundll32.exe
PID 3988 wrote to memory of 3592	3988	WINWORD.EXE	rundll32.exe
PID 3592 wrote to memory of 4040	3592	rundll32.exe	rundll32.exe
PID 3592 wrote to memory of 4040	3592	rundll32.exe	rundll32.exe
PID 3592 wrote to memory of 4040	3592	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dfdf79d355c1098d4cceaf4591200d35000ad86a585df727b3e7e6cf7dd58e95.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3508

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
MD5
9b07094151ee3ee8b82a62a1f1052ae6

SHA1
fc90744ed68c018a8974322a355afc9aeb55c298

SHA256
f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3

SHA512
1fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
MD5
9b07094151ee3ee8b82a62a1f1052ae6

SHA1
fc90744ed68c018a8974322a355afc9aeb55c298

SHA256
f57e381a7b16ced63cd8e1e68ea0da8a08799c21c6db7357eb5a5bb13c321ab3

SHA512
1fad6dcd3bb1e785958fd1cfa20f9bf88b00b5e0cdcbd1933a279a8140245e1d2518412f61893328e922ed8a4bb52fd0eec16f92fbacb77f540feb4f5600ffee

Download Submit
memory/3508-7-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/3508-8-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3508-5-0x0000000000000000-mapping.dmp

Download
memory/3508-6-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3592-11-0x0000000000000000-mapping.dmp

Download
memory/3988-3-0x000002C813A9C000-0x000002C813AA1000-memory.dmp

Filesize
20KB

Download
memory/3988-4-0x000002C813A9C000-0x000002C813AA1000-memory.dmp

Filesize
20KB

Download
memory/3988-10-0x000002C813A9C000-0x000002C813AA1000-memory.dmp

Filesize
20KB

Download
memory/3988-0-0x00007FFCBBD40000-0x00007FFCBC377000-memory.dmp

Filesize
6.2MB

Download
memory/3988-2-0x000002C813A9B000-0x000002C813A9C000-memory.dmp

Filesize
4KB

Download
memory/3988-1-0x000002C813A9C000-0x000002C813AA1000-memory.dmp

Filesize
20KB

Download
memory/4040-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads