Analysis
-
max time kernel
273s -
max time network
273s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-12-2020 20:01
Static task
static1
General
-
Target
direct-12.08.2020.doc
-
Size
111KB
-
MD5
046593bb9cc87ad15cf59af9c1993f55
-
SHA1
cfbd3b7b82c3ebe22506b2f1375aacf134676c53
-
SHA256
6bdadb3e04b16759d56dd630002422a9d6da85beb1909feee5a99d14d5bbfb2a
-
SHA512
cc6a7adb13f62630f4a7198b4c81a4563962c01dd8e54b68dd8fc61df22d55c32047b74d9ed8fcfeadccacfc02f88d56732ab1e23167ceb1f529a0e691028b1a
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3612 3564 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 31 3172 rundll32.exe 33 3172 rundll32.exe 35 3172 rundll32.exe 39 3172 rundll32.exe 40 3172 rundll32.exe -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 3564 WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3172 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3564 WINWORD.EXE 3564 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3172 rundll32.exe 3172 rundll32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
WINWORD.EXEpid process 3564 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 3564 wrote to memory of 3612 3564 WINWORD.EXE rundll32.exe PID 3564 wrote to memory of 3612 3564 WINWORD.EXE rundll32.exe PID 3612 wrote to memory of 3172 3612 rundll32.exe rundll32.exe PID 3612 wrote to memory of 3172 3612 rundll32.exe rundll32.exe PID 3612 wrote to memory of 3172 3612 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct-12.08.2020.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\programdata\uAKDh.pdf,ShowDialogA -r2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\programdata\uAKDh.pdf,ShowDialogA -r3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\uAKDh.pdfMD5
1b08e7c4cbf1e0d0f0b1ef457cd20b85
SHA1c8c912948318c9bbb24cb607ff99fa785a49e882
SHA2569b2aa7ba6e7e536e863bc417ff7a8be7afdf6f71aa6d961d70fa487f5f1cf3b6
SHA512569ffacdff57fef708e4c378e019d23c2f16f8a5c64baddee503387796d50afa110dda49ee4da7143b669d761ebe6edac6d372c1d0ce2af7618a3288caf566a0
-
\ProgramData\uAKDh.pdfMD5
1b08e7c4cbf1e0d0f0b1ef457cd20b85
SHA1c8c912948318c9bbb24cb607ff99fa785a49e882
SHA2569b2aa7ba6e7e536e863bc417ff7a8be7afdf6f71aa6d961d70fa487f5f1cf3b6
SHA512569ffacdff57fef708e4c378e019d23c2f16f8a5c64baddee503387796d50afa110dda49ee4da7143b669d761ebe6edac6d372c1d0ce2af7618a3288caf566a0
-
memory/3172-11-0x0000000000000000-mapping.dmp
-
memory/3564-2-0x00007FFC9E0E0000-0x00007FFC9E717000-memory.dmpFilesize
6.2MB
-
memory/3564-7-0x000001583A2A3000-0x000001583A2B4000-memory.dmpFilesize
68KB
-
memory/3564-13-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmpFilesize
43.1MB
-
memory/3564-14-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmpFilesize
43.1MB
-
memory/3564-15-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmpFilesize
43.1MB
-
memory/3564-16-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmpFilesize
43.1MB
-
memory/3612-9-0x0000000000000000-mapping.dmp