Analysis
-
max time kernel
138s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-12-2020 13:08
Static task
static1
Behavioral task
behavioral1
Sample
ordine.12.20.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ordine.12.20.doc
Resource
win10v20201028
General
-
Target
ordine.12.20.doc
-
Size
91KB
-
MD5
d877528f01cafe6d9401c89e4c4799a5
-
SHA1
10836e28ae5184ae004c3b60159c2e994832c90c
-
SHA256
9a752f4b373e32ef86ead4516cceb238bdef9519191922abf5141261b13c38f3
-
SHA512
c33b67bebe288ed9718f6485fb0ac3a46bdcaf0726bf37b378b1ed8920450cabc22b7cd57b3a6dc6f9daeedca6929e899f4b49969d674ed865211dd121a02bc4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.compid process 2376 ms.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
ms.comdescription pid process target process PID 2376 wrote to memory of 1492 2376 ms.com regsvr32.exe PID 2376 wrote to memory of 1492 2376 ms.com regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordine.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\users\public\ms.comC:\users\public\ms.com C:\users\public\ms.html1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temp.tmpMD5
6bba6235197ae9997ec5da8631fdc6cc
SHA1408071b5b21e4b8b78ff9dfda36484270fc537e1
SHA256cf410691b63dd4e596d9a3a01855aa77f04ae6b4c93e7dc15890f6f06cc1ffa6
SHA51255466541278bbe28245fdcf86ddfd24b7bc04bd8074c19bfbbce2e5ef5685385020cdede98841ba5592fd8e24c53fea2b17b3c09b8b81aacdf45aecb1c51be2a
-
C:\Users\Public\ms.comMD5
98447a7f26ee9dac6b806924d6e21c90
SHA1a67909346a56289b7087821437efcaa51da3b083
SHA256c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed
SHA512c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b
-
C:\users\public\ms.comMD5
98447a7f26ee9dac6b806924d6e21c90
SHA1a67909346a56289b7087821437efcaa51da3b083
SHA256c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed
SHA512c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b
-
C:\users\public\ms.htmlMD5
f92fb6fe7f0536a53a813177585dcfee
SHA1855b96cd27e0eb6f0bdff03242a7375fde19d3d7
SHA256f2855229bb557b3abfc20e95e879c1cd4c0102fbd9fecd7c2cbfbe6cf5be3f30
SHA51294f766077d27d8c04d69dcdabea02a01b8b396a0cefb1f5d81aa9f9baba6b03b3134dd822c6fe48839f7c8a944131f107cfbb5962bd242a922937ce884ccebd6
-
memory/1036-2-0x000002616E8C0000-0x000002616EEF7000-memory.dmpFilesize
6.2MB
-
memory/1036-3-0x0000026179094000-0x0000026179099000-memory.dmpFilesize
20KB
-
memory/1036-5-0x00000261791BC000-0x00000261791C1000-memory.dmpFilesize
20KB
-
memory/1036-4-0x00000261791BC000-0x00000261791C1000-memory.dmpFilesize
20KB
-
memory/1036-6-0x00000261791BC000-0x00000261791C1000-memory.dmpFilesize
20KB
-
memory/1036-7-0x00000261791FB000-0x0000026179205000-memory.dmpFilesize
40KB
-
memory/1036-8-0x00000261791FB000-0x0000026179205000-memory.dmpFilesize
40KB
-
memory/1492-12-0x0000000000000000-mapping.dmp