Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-11-2020 18:51
Static task
static1
Behavioral task
behavioral1
Sample
command.11.30.2020.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
command.11.30.2020.doc
Resource
win10v20201028
General
-
Target
command.11.30.2020.doc
-
Size
142KB
-
MD5
019d3ecf74e5e66bc246f70c69bfa2d0
-
SHA1
ee7e8ff6e1905eea0a9a35e881978bbf55fbb03f
-
SHA256
427b1af5ab5a8ecf6d182ea7c1bcf696700ea31358b88ca374fa82b4d0dc619d
-
SHA512
37a3c711ea942e9f600b96af67abd1b0eb24331c8cdbec14055bd2aec9845e209dc4bff3325211df88f25615f0d7ab5601ed5f70b7323717bed28a5af5a2d03b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4032 3968 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 27 4056 rundll32.exe 29 4056 rundll32.exe 31 4056 rundll32.exe 33 4056 rundll32.exe 34 4056 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe 4056 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 3968 wrote to memory of 4032 3968 WINWORD.EXE rundll32.exe PID 3968 wrote to memory of 4032 3968 WINWORD.EXE rundll32.exe PID 4032 wrote to memory of 4056 4032 rundll32.exe rundll32.exe PID 4032 wrote to memory of 4056 4032 rundll32.exe rundll32.exe PID 4032 wrote to memory of 4056 4032 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\command.11.30.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\programdata\rDPRg.pdf,ShowDialogA -r2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\programdata\rDPRg.pdf,ShowDialogA -r3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\rDPRg.pdfMD5
ae5457bcea1769c46943b25d392972cc
SHA13cf2402aef141fb86a041d12bda1a4132a4d7a42
SHA25673708b111656b06a0c0d8b313f542bf526a24efda87e1fb738d4753dc34769e0
SHA51239a042dca7490974b958783d3f27af9ba0db2488426fd6915a8336099001990ff36eebe719680b32968974424e2432382f961a41a9e7960d4e11520fa94e4afb
-
\ProgramData\rDPRg.pdfMD5
ae5457bcea1769c46943b25d392972cc
SHA13cf2402aef141fb86a041d12bda1a4132a4d7a42
SHA25673708b111656b06a0c0d8b313f542bf526a24efda87e1fb738d4753dc34769e0
SHA51239a042dca7490974b958783d3f27af9ba0db2488426fd6915a8336099001990ff36eebe719680b32968974424e2432382f961a41a9e7960d4e11520fa94e4afb
-
memory/3968-2-0x00007FFCBC0A0000-0x00007FFCBC6D7000-memory.dmpFilesize
6.2MB
-
memory/3968-3-0x000001FA296B3000-0x000001FA296B8000-memory.dmpFilesize
20KB
-
memory/3968-4-0x000001FA296AE000-0x000001FA296B3000-memory.dmpFilesize
20KB
-
memory/3968-5-0x000001FA296B3000-0x000001FA296B8000-memory.dmpFilesize
20KB
-
memory/4032-6-0x0000000000000000-mapping.dmp
-
memory/4056-8-0x0000000000000000-mapping.dmp