Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 17:59
Static task
static1
Behavioral task
behavioral1
Sample
files.12.20.doc
Resource
win7v20201028
General
-
Target
files.12.20.doc
-
Size
76KB
-
MD5
277c10ae03a3921e32a583433bf9da1b
-
SHA1
a3dd37ef2a327ab4b835c493bc25ca720837af23
-
SHA256
2016bab0c36eafaba9a47f2872310f48613e055492bb7b450ce807cec8ed0a53
-
SHA512
a48caa5d129eb97779483e84e2fe2f6cb07caea7e239e1a2216b9eaf67ce427c6ba475f7e92907b2d12884281f95775e8ed684ae5c769a9bb1a71690e52ded5b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2172 4636 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 14 3912 mshta.exe 30 2512 rundll32.exe 32 2512 rundll32.exe 34 2512 rundll32.exe 38 2512 rundll32.exe 40 2512 rundll32.exe 42 2512 rundll32.exe 44 2512 rundll32.exe 45 2512 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2512 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4636 WINWORD.EXE 4636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2512 rundll32.exe 2512 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE 4636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 4636 wrote to memory of 2172 4636 WINWORD.EXE rundll32.exe PID 4636 wrote to memory of 2172 4636 WINWORD.EXE rundll32.exe PID 2172 wrote to memory of 3912 2172 rundll32.exe mshta.exe PID 2172 wrote to memory of 3912 2172 rundll32.exe mshta.exe PID 2172 wrote to memory of 3912 2172 rundll32.exe mshta.exe PID 3912 wrote to memory of 2512 3912 mshta.exe rundll32.exe PID 3912 wrote to memory of 2512 3912 mshta.exe rundll32.exe PID 3912 wrote to memory of 2512 3912 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aWFPjN.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
52514804e042ebe0256a8671a7282552
SHA1401025bdbdedf098e2dcd6f4c597d5e091785be7
SHA25668745718c2ed1d006064a6c9f5ac15665ac7d6bc7420f8830abbb9be386cd144
SHA5124c34a26c379d168046a05a939a007bffc95be3da6b6fc3d63d1c4f10f6b00530327ee17ffabdc2bb32bdc7fd6af7e87a014892574e91a9b310991a647bb95597
-
\??\c:\programdata\aWFPjN.pdfMD5
a728f40b8e9c9c942be81be11aad5263
SHA1cd89a72327993a2b6a4f62f79377bf61d56686ae
SHA256a271d925f3f9e43f10e8f4887f3f60cbd07e94ea780a46ce512077749b3e9a02
SHA512c618a106fbd364775fde5ae2e69393cd2bb08da0ba4863799a8aa80ce7f017dd2131150e0664574a7b8f682a6ffbfa9c7d65434c35e6ce83dfd03e972db91db5
-
\ProgramData\aWFPjN.pdfMD5
a728f40b8e9c9c942be81be11aad5263
SHA1cd89a72327993a2b6a4f62f79377bf61d56686ae
SHA256a271d925f3f9e43f10e8f4887f3f60cbd07e94ea780a46ce512077749b3e9a02
SHA512c618a106fbd364775fde5ae2e69393cd2bb08da0ba4863799a8aa80ce7f017dd2131150e0664574a7b8f682a6ffbfa9c7d65434c35e6ce83dfd03e972db91db5
-
memory/2172-5-0x0000000000000000-mapping.dmp
-
memory/2512-8-0x0000000000000000-mapping.dmp
-
memory/3912-7-0x0000000000000000-mapping.dmp
-
memory/4636-2-0x00007FF9C8C40000-0x00007FF9C9277000-memory.dmpFilesize
6.2MB
-
memory/4636-3-0x00000193420F2000-0x00000193420F7000-memory.dmpFilesize
20KB
-
memory/4636-4-0x00000193420F2000-0x00000193420F7000-memory.dmpFilesize
20KB