Resubmissions
04-12-2020 23:26
201204-em2p576lje 404-12-2020 23:21
201204-djhepqlp7s 704-12-2020 23:16
201204-np79pl4zy2 7Analysis
-
max time kernel
106s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-12-2020 23:21
Static task
static1
Behavioral task
behavioral1
Sample
view page source hybrid.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
view page source hybrid.rtf
Resource
win10v20201028
General
-
Target
view page source hybrid.rtf
-
Size
46KB
-
MD5
4dfa2438ea66e13ccd84afca3c410be4
-
SHA1
9e131830c70fe743b0625637fa407cad525811f5
-
SHA256
187441262398983e2bf4672e06325e247537e083f9dcf384762858307cc5c8df
-
SHA512
218ce0bdbf2011864ea3d7b6b733ceadb8c4f93c180fca371c0fb79b8514843dff30c54b483d17e5b9c3743f347e5761ee3fae3d1c8a0d1e5b18cc76fcff277c
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE 580 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\view page source hybrid.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s fdPHost1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-2-0x000001132A920000-0x000001132AF57000-memory.dmpFilesize
6.2MB
-
memory/580-3-0x00007FF91CAE0000-0x00007FF91F603000-memory.dmpFilesize
43.1MB
-
memory/580-4-0x00007FF91CAE0000-0x00007FF91F603000-memory.dmpFilesize
43.1MB
-
memory/580-5-0x00007FF91CAE0000-0x00007FF91F603000-memory.dmpFilesize
43.1MB