Analysis
-
max time kernel
136s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
dictate,12.07.2020.doc
Resource
win7v20201028
General
-
Target
dictate,12.07.2020.doc
-
Size
74KB
-
MD5
5b14a94211accca8f8a1ff5817af10f4
-
SHA1
f52cffebeda9aba7ddea487b71b5b689ab0212f4
-
SHA256
385794d14430b56014a7ec11add05404f0038dc39b6e0f6617c67a13128e176a
-
SHA512
ffb1e76deca20465b5c13999a6fbe5ebcb4fff858aaf7beffb4c08c79704c9623b214000e410b96b478b1edfa19825f0ff1125da68255e3b1bf6432151948d45
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3236 4772 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 14 4076 mshta.exe 29 4528 rundll32.exe 31 4528 rundll32.exe 33 4528 rundll32.exe 39 4528 rundll32.exe 41 4528 rundll32.exe 43 4528 rundll32.exe 45 4528 rundll32.exe 46 4528 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4528 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4772 WINWORD.EXE 4772 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4528 rundll32.exe 4528 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 4772 wrote to memory of 3236 4772 WINWORD.EXE rundll32.exe PID 4772 wrote to memory of 3236 4772 WINWORD.EXE rundll32.exe PID 3236 wrote to memory of 4076 3236 rundll32.exe mshta.exe PID 3236 wrote to memory of 4076 3236 rundll32.exe mshta.exe PID 3236 wrote to memory of 4076 3236 rundll32.exe mshta.exe PID 4076 wrote to memory of 4528 4076 mshta.exe rundll32.exe PID 4076 wrote to memory of 4528 4076 mshta.exe rundll32.exe PID 4076 wrote to memory of 4528 4076 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate,12.07.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aPJ75.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
f1fd3c7339f246952ea4d133c1c434c9
SHA1769ea491fe690db6be9d35c7897b851533da17b9
SHA256cf7884282315ddb95585e8f132af0c05e679ef2b92a3365f6e0eeefc49f36b57
SHA512865e70290ea4529c35c60805f35f9b6777de9a5c99cc4c3f067afd59f04f882974d5b2a03b23b14b313906de7c6093c671f6ad5f288cc7968479cb5a9a1f58be
-
\??\c:\programdata\aPJ75.pdfMD5
b5af056d1743a032d9e832db1de90681
SHA13e80686d7fe8439859034e0043614d8e3398ba54
SHA256768a3a123f18073fc2caaa367e10dd880eb39d88669bf89a01f1c73e30b44be3
SHA512216a867d4e97422677595ad946d6a57b46d535849bf1d69ecdb51bb2bf372c724d9405a39ec60dc2f88e00686613d81c70cfbcc85db9874465ef97b03e344520
-
\ProgramData\aPJ75.pdfMD5
b5af056d1743a032d9e832db1de90681
SHA13e80686d7fe8439859034e0043614d8e3398ba54
SHA256768a3a123f18073fc2caaa367e10dd880eb39d88669bf89a01f1c73e30b44be3
SHA512216a867d4e97422677595ad946d6a57b46d535849bf1d69ecdb51bb2bf372c724d9405a39ec60dc2f88e00686613d81c70cfbcc85db9874465ef97b03e344520
-
memory/3236-6-0x0000000000000000-mapping.dmp
-
memory/4076-8-0x0000000000000000-mapping.dmp
-
memory/4528-9-0x0000000000000000-mapping.dmp
-
memory/4772-2-0x00007FFBDF9B0000-0x00007FFBDFFE7000-memory.dmpFilesize
6.2MB