Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 15:25

General

  • Target

    1125_56873981.doc

  • Size

    368KB

  • MD5

    bdba9e0cbaa81843d8a651ed0098a9fd

  • SHA1

    a105d9e6bb732093237bc2d555478c9a8a54bb6d

  • SHA256

    827866089f958b9df535168bc3efed843ee0d769cbe015758d90f9199f7b0d25

  • SHA512

    327076632a9dbfdfab0f0888a173f71cea1840d7ffa1e5afb825d60af794868db04269f1bfd88055c83bfaccc02ecf2868470bc01e559ab671a85830da4db6ee

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blacklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1125_56873981.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1892
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,Start
          3⤵
          • Blacklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:3932

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      e3659cd4b544ee02ba6f3cc307e601f2

      SHA1

      8507242a7b307c912a9a2b1595e992da05f41ea7

      SHA256

      57120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3

      SHA512

      724d7108f2bd7dffe3d87ea146806a934d1eed7b6c94ae8bd6840a818416467a97f4f2fec63d2576a4cba60fc848e72c66dffe143df6f1a2e79fa89b9d38ed3f

    • \Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      e3659cd4b544ee02ba6f3cc307e601f2

      SHA1

      8507242a7b307c912a9a2b1595e992da05f41ea7

      SHA256

      57120da92792471020573332d1ff30fadf4496f77e2652229c6dca7fc8685ae3

      SHA512

      724d7108f2bd7dffe3d87ea146806a934d1eed7b6c94ae8bd6840a818416467a97f4f2fec63d2576a4cba60fc848e72c66dffe143df6f1a2e79fa89b9d38ed3f

    • memory/1284-13-0x0000000000000000-mapping.dmp
    • memory/1892-8-0x0000000000000000-mapping.dmp
    • memory/1892-9-0x0000000002450000-0x0000000002451000-memory.dmp
      Filesize

      4KB

    • memory/1892-10-0x0000000000A00000-0x0000000000A01000-memory.dmp
      Filesize

      4KB

    • memory/1892-11-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
      Filesize

      4KB

    • memory/3932-15-0x0000000000000000-mapping.dmp
    • memory/4048-0-0x0000012772BE0000-0x0000012773217000-memory.dmp
      Filesize

      6.2MB