Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 17:58
Static task
static1
Behavioral task
behavioral1
Sample
certificate_12.20.doc
Resource
win7v20201028
General
-
Target
certificate_12.20.doc
-
Size
75KB
-
MD5
09a3cabe56bddaccf3736c626524a267
-
SHA1
ecd402f6d90ce58878aa67cc889e1a2ffecafe3e
-
SHA256
3e670878dd1bec8ea456d334a47600c9e174a380afd89d86725fa8e81b9bc8f4
-
SHA512
2d651168d56371706ea4709f0f313c9fe262a1f3930fe21e3f40e241113057a623a8839f448fbd358eeb1b446b35ab869d905efb8bef83289236533edae330ed
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4028 3084 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 24 4060 mshta.exe 29 2536 rundll32.exe 31 2536 rundll32.exe 37 2536 rundll32.exe 39 2536 rundll32.exe 41 2536 rundll32.exe 43 2536 rundll32.exe 45 2536 rundll32.exe 47 2536 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3084 WINWORD.EXE 3084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2536 rundll32.exe 2536 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE 3084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 3084 wrote to memory of 4028 3084 WINWORD.EXE rundll32.exe PID 3084 wrote to memory of 4028 3084 WINWORD.EXE rundll32.exe PID 4028 wrote to memory of 4060 4028 rundll32.exe mshta.exe PID 4028 wrote to memory of 4060 4028 rundll32.exe mshta.exe PID 4028 wrote to memory of 4060 4028 rundll32.exe mshta.exe PID 4060 wrote to memory of 2536 4060 mshta.exe rundll32.exe PID 4060 wrote to memory of 2536 4060 mshta.exe rundll32.exe PID 4060 wrote to memory of 2536 4060 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificate_12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aK2TUb.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
8983ba41e1c99c3e4c9aff611761c3f0
SHA1f239ccc0def9802ec8a03f75d124ad1447b274ee
SHA256206f477c988d35c480f1c733a04b39ad981262973810407e4fbb879dc4cb2d1f
SHA51231529a53db27aea18155330f8a26ec5090f1ac8cc9996c9374d4c9c749a02fe70b9fb070b1649c58f1e127fe7d5d2884ffabccfcc97b2bd0616fac3f88b1e460
-
\??\c:\programdata\aK2TUb.pdfMD5
0cac3df1337995a6720fc4d54b8fd2af
SHA1772fc79ec590ffd440cc7e4f4bcd311a4af094d0
SHA256f79487c85c39f55bc0d7d94bf2834731af8b2ef16dfb48ab99b8b6280368dec4
SHA512a1612e898778410bef6ddd0fd00cd2e5190ea4d167ae2c187734782f60ee33a33a984477fdf39379d2b66a9788f49dbd777468fbc43de50350bc7eb0fab8a7bd
-
\ProgramData\aK2TUb.pdfMD5
0cac3df1337995a6720fc4d54b8fd2af
SHA1772fc79ec590ffd440cc7e4f4bcd311a4af094d0
SHA256f79487c85c39f55bc0d7d94bf2834731af8b2ef16dfb48ab99b8b6280368dec4
SHA512a1612e898778410bef6ddd0fd00cd2e5190ea4d167ae2c187734782f60ee33a33a984477fdf39379d2b66a9788f49dbd777468fbc43de50350bc7eb0fab8a7bd
-
memory/2536-9-0x0000000000000000-mapping.dmp
-
memory/3084-2-0x0000018D4EB90000-0x0000018D4F1C7000-memory.dmpFilesize
6.2MB
-
memory/4028-6-0x0000000000000000-mapping.dmp
-
memory/4060-8-0x0000000000000000-mapping.dmp