Analysis
-
max time kernel
137s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
commerce ,12.20.doc
Resource
win7v20201028
General
-
Target
commerce ,12.20.doc
-
Size
73KB
-
MD5
ff964fd38ca1b1c28d543574f2fbbf74
-
SHA1
4eff0c20e4740e3e4eb53c5489d01a079c1ef3ee
-
SHA256
0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e
-
SHA512
23a034d28dcd837d61253cdd79c0d62c91923f03831d330e2a2cc92305e29d571b10ecd8086885b4b478044386847d92f71ce536996980675fca7f0ba5051ea2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2068 1404 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 22 3032 mshta.exe 29 3384 rundll32.exe 31 3384 rundll32.exe 33 3384 rundll32.exe 35 3384 rundll32.exe 37 3384 rundll32.exe 39 3384 rundll32.exe 46 3384 rundll32.exe 47 3384 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3384 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3384 rundll32.exe 3384 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 1404 wrote to memory of 2068 1404 WINWORD.EXE rundll32.exe PID 1404 wrote to memory of 2068 1404 WINWORD.EXE rundll32.exe PID 2068 wrote to memory of 3032 2068 rundll32.exe mshta.exe PID 2068 wrote to memory of 3032 2068 rundll32.exe mshta.exe PID 2068 wrote to memory of 3032 2068 rundll32.exe mshta.exe PID 3032 wrote to memory of 3384 3032 mshta.exe rundll32.exe PID 3032 wrote to memory of 3384 3032 mshta.exe rundll32.exe PID 3032 wrote to memory of 3384 3032 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce ,12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aNkDL.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
038eb5ce0b836e5cdf34b2deadff3d51
SHA1aa55e8b635b58e74c90b2e2828fdf63b15f7a99b
SHA25671d2108c013ba714a174583318dd9fe86f7d3d7bb723c389121ad9f185e1d2aa
SHA5127a55cfaa21608822c862602a1a11dce240ef61736961bf1c36f6439bf77ec274f539135d3b9c392cfa8a4ecc18ada850b2e3eeeab606333ebea0f9b0944f8503
-
\??\c:\programdata\aNkDL.pdfMD5
83110be2837dfb77d4ab80893f36864b
SHA1803c2df0df04a527dec31442ceed6d390bdc5b51
SHA256e9dbded933df6b5b2f5ed51d19dad0789ebfb06dc9a470987a3f7b7dca168843
SHA512f620c35d3614fb2430027b95ab9e4dec08dff32c773d6782236f40f9cd71418ffde341e8e2cbd210e2dfd7f11e4659645c981caba14b493ba97f5c89ccbb68c1
-
\ProgramData\aNkDL.pdfMD5
83110be2837dfb77d4ab80893f36864b
SHA1803c2df0df04a527dec31442ceed6d390bdc5b51
SHA256e9dbded933df6b5b2f5ed51d19dad0789ebfb06dc9a470987a3f7b7dca168843
SHA512f620c35d3614fb2430027b95ab9e4dec08dff32c773d6782236f40f9cd71418ffde341e8e2cbd210e2dfd7f11e4659645c981caba14b493ba97f5c89ccbb68c1
-
memory/1404-2-0x00007FFB52C70000-0x00007FFB532A7000-memory.dmpFilesize
6.2MB
-
memory/1404-5-0x0000020288E65000-0x0000020288E6A000-memory.dmpFilesize
20KB
-
memory/2068-6-0x0000000000000000-mapping.dmp
-
memory/3032-8-0x0000000000000000-mapping.dmp
-
memory/3384-9-0x0000000000000000-mapping.dmp