Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 17:16
Static task
static1
Behavioral task
behavioral1
Sample
input_12.20.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
input_12.20.doc
Resource
win10v20201028
General
-
Target
input_12.20.doc
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2496 3928 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 23 3144 mshta.exe 28 1528 rundll32.exe 30 1528 rundll32.exe 35 1528 rundll32.exe 39 1528 rundll32.exe 41 1528 rundll32.exe 43 1528 rundll32.exe 45 1528 rundll32.exe 47 1528 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1528 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3928 WINWORD.EXE 3928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1528 rundll32.exe 1528 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE 3928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 3928 wrote to memory of 2496 3928 WINWORD.EXE rundll32.exe PID 3928 wrote to memory of 2496 3928 WINWORD.EXE rundll32.exe PID 2496 wrote to memory of 3144 2496 rundll32.exe mshta.exe PID 2496 wrote to memory of 3144 2496 rundll32.exe mshta.exe PID 2496 wrote to memory of 3144 2496 rundll32.exe mshta.exe PID 3144 wrote to memory of 1528 3144 mshta.exe rundll32.exe PID 3144 wrote to memory of 1528 3144 mshta.exe rundll32.exe PID 3144 wrote to memory of 1528 3144 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\input_12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aK2TUb.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
8983ba41e1c99c3e4c9aff611761c3f0
SHA1f239ccc0def9802ec8a03f75d124ad1447b274ee
SHA256206f477c988d35c480f1c733a04b39ad981262973810407e4fbb879dc4cb2d1f
SHA51231529a53db27aea18155330f8a26ec5090f1ac8cc9996c9374d4c9c749a02fe70b9fb070b1649c58f1e127fe7d5d2884ffabccfcc97b2bd0616fac3f88b1e460
-
\??\c:\programdata\aK2TUb.pdfMD5
160e2feffa3b8d5c79cd5954e8c00eba
SHA158f095a795c6e46c0db36a1a11be77c4f288a0f8
SHA256f7909c265343edee420578aff110763cf101d4f38ebf7000fefd958fa7e4f1c7
SHA51260f7b31fa8e04ed8ed667a7c40c6b97f4c86b8c259aff9d859d8209ad5e0dd888a27f10ed91d0fd2477ccae08d91a010f430b0e9fc9f35b94a896358b3f9fc66
-
\ProgramData\aK2TUb.pdfMD5
160e2feffa3b8d5c79cd5954e8c00eba
SHA158f095a795c6e46c0db36a1a11be77c4f288a0f8
SHA256f7909c265343edee420578aff110763cf101d4f38ebf7000fefd958fa7e4f1c7
SHA51260f7b31fa8e04ed8ed667a7c40c6b97f4c86b8c259aff9d859d8209ad5e0dd888a27f10ed91d0fd2477ccae08d91a010f430b0e9fc9f35b94a896358b3f9fc66
-
memory/1528-7-0x0000000000000000-mapping.dmp
-
memory/2496-4-0x0000000000000000-mapping.dmp
-
memory/3144-6-0x0000000000000000-mapping.dmp
-
memory/3928-2-0x0000023FDFA30000-0x0000023FE0067000-memory.dmpFilesize
6.2MB