Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 15:25
Static task
static1
Behavioral task
behavioral1
Sample
1125_56873981.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1125_56873981.doc
Resource
win10v20201028
General
-
Target
1125_56873981.doc
-
Size
368KB
-
MD5
bdba9e0cbaa81843d8a651ed0098a9fd
-
SHA1
a105d9e6bb732093237bc2d555478c9a8a54bb6d
-
SHA256
827866089f958b9df535168bc3efed843ee0d769cbe015758d90f9199f7b0d25
-
SHA512
327076632a9dbfdfab0f0888a173f71cea1840d7ffa1e5afb825d60af794868db04269f1bfd88055c83bfaccc02ecf2868470bc01e559ab671a85830da4db6ee
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1284 4048 rundll32.exe WINWORD.EXE -
Blacklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 31 3932 rundll32.exe 33 3932 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3932 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{491F104F-8F5F-4978-A4D3-54F99330FE5C}\ya.wav:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4048 WINWORD.EXE 4048 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3932 rundll32.exe 3932 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 4048 wrote to memory of 1892 4048 WINWORD.EXE splwow64.exe PID 4048 wrote to memory of 1892 4048 WINWORD.EXE splwow64.exe PID 4048 wrote to memory of 1284 4048 WINWORD.EXE rundll32.exe PID 4048 wrote to memory of 1284 4048 WINWORD.EXE rundll32.exe PID 1284 wrote to memory of 3932 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 3932 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 3932 1284 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1125_56873981.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start3⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
e3659cd4b544ee02ba6f3cc307e601f2
SHA18507242a7b307c912a9a2b1595e992da05f41ea7
SHA25657120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3
SHA512724d7108f2bd7dffe3d87ea146806a934d1eed7b6c94ae8bd6840a818416467a97f4f2fec63d2576a4cba60fc848e72c66dffe143df6f1a2e79fa89b9d38ed3f
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
e3659cd4b544ee02ba6f3cc307e601f2
SHA18507242a7b307c912a9a2b1595e992da05f41ea7
SHA25657120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3
SHA512724d7108f2bd7dffe3d87ea146806a934d1eed7b6c94ae8bd6840a818416467a97f4f2fec63d2576a4cba60fc848e72c66dffe143df6f1a2e79fa89b9d38ed3f
-
memory/1284-13-0x0000000000000000-mapping.dmp
-
memory/1892-8-0x0000000000000000-mapping.dmp
-
memory/1892-9-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/1892-10-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/1892-11-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/3932-15-0x0000000000000000-mapping.dmp
-
memory/4048-0-0x0000012772BE0000-0x0000012773217000-memory.dmpFilesize
6.2MB