Analysis
-
max time kernel
67s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-12-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
commerce ,12.20.doc
Resource
win7v20201028
General
-
Target
commerce ,12.20.doc
-
Size
73KB
-
MD5
ff964fd38ca1b1c28d543574f2fbbf74
-
SHA1
4eff0c20e4740e3e4eb53c5489d01a079c1ef3ee
-
SHA256
0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e
-
SHA512
23a034d28dcd837d61253cdd79c0d62c91923f03831d330e2a2cc92305e29d571b10ecd8086885b4b478044386847d92f71ce536996980675fca7f0ba5051ea2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 904 648 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 4 1800 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 904 648 WINWORD.EXE rundll32.exe PID 904 wrote to memory of 1800 904 rundll32.exe mshta.exe PID 904 wrote to memory of 1800 904 rundll32.exe mshta.exe PID 904 wrote to memory of 1800 904 rundll32.exe mshta.exe PID 904 wrote to memory of 1800 904 rundll32.exe mshta.exe PID 648 wrote to memory of 1480 648 WINWORD.EXE splwow64.exe PID 648 wrote to memory of 1480 648 WINWORD.EXE splwow64.exe PID 648 wrote to memory of 1480 648 WINWORD.EXE splwow64.exe PID 648 wrote to memory of 1480 648 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce ,12.20.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta"3⤵
- Blocklisted process makes network request
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
038eb5ce0b836e5cdf34b2deadff3d51
SHA1aa55e8b635b58e74c90b2e2828fdf63b15f7a99b
SHA25671d2108c013ba714a174583318dd9fe86f7d3d7bb723c389121ad9f185e1d2aa
SHA5127a55cfaa21608822c862602a1a11dce240ef61736961bf1c36f6439bf77ec274f539135d3b9c392cfa8a4ecc18ada850b2e3eeeab606333ebea0f9b0944f8503
-
memory/648-2-0x0000000004DEE000-0x0000000004DF1000-memory.dmpFilesize
12KB
-
memory/648-3-0x0000000000843000-0x0000000000847000-memory.dmpFilesize
16KB
-
memory/904-4-0x0000000000000000-mapping.dmp
-
memory/1480-7-0x0000000000000000-mapping.dmp
-
memory/1684-8-0x000007FEF62A0000-0x000007FEF651A000-memory.dmpFilesize
2.5MB
-
memory/1800-6-0x0000000000000000-mapping.dmp