Analysis
-
max time kernel
136s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:52
Static task
static1
Behavioral task
behavioral1
Sample
particulars 12.20.doc
Resource
win7v20201028
General
-
Target
particulars 12.20.doc
-
Size
91KB
-
MD5
5ce909920e6006b358ebe30b37880aa4
-
SHA1
cbbbd2f5f1702853ca5b7cceae280d92b5d3d245
-
SHA256
c4275b08193c896015c7bcda2a4e0d940331b0806c6b32a68e32acbf78988075
-
SHA512
20254b6b3c8e1b878570fcb4f19dd526e44f4763254d0255d74101e45232c72a6c31e55b7c0f59aa17069eb2f8d78d15dc5d263a9a45a29c215642c51f51ea99
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4204 4768 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 12 2796 mshta.exe 28 932 rundll32.exe 30 932 rundll32.exe 37 932 rundll32.exe 39 932 rundll32.exe 41 932 rundll32.exe 43 932 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 932 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4768 WINWORD.EXE 4768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 932 rundll32.exe 932 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE 4768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 4768 wrote to memory of 4204 4768 WINWORD.EXE rundll32.exe PID 4768 wrote to memory of 4204 4768 WINWORD.EXE rundll32.exe PID 4204 wrote to memory of 2796 4204 rundll32.exe mshta.exe PID 4204 wrote to memory of 2796 4204 rundll32.exe mshta.exe PID 4204 wrote to memory of 2796 4204 rundll32.exe mshta.exe PID 2796 wrote to memory of 932 2796 mshta.exe rundll32.exe PID 2796 wrote to memory of 932 2796 mshta.exe rundll32.exe PID 2796 wrote to memory of 932 2796 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\particulars 12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aMIlcj.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
b0d27e8940c06015cb528e8209bbfbf2
SHA1e28b2ab72abcbf46f748df79b61c054999a541c1
SHA2560aaa17b506c8a6d3a0fe5fa46636d95068cfe6784cacfc735281ce772d0651a2
SHA512b19096cfcde7209362f70c6f035da86446e225e692fdf0609ed4c60ea9c7f1df9d4d0c04e6f8c941bcdbacef2e87f8b9e8e9e697f2980de27fe7297238f665f8
-
\??\c:\programdata\aMIlcj.pdfMD5
cda9f24993945f32e0de0c00caa30447
SHA19681e080567a08f86e7aa50e5160d04727dc1041
SHA25651eafaf365d2228a590c97013f4a0b89c0d925715a921523eaaaeedaba7447e9
SHA512bcd636d4bdd2df741745bfaac43a3ba310855264ac40b592d9a320b7e26be023e0363b0d986970500d8f4d164e5dea7e29288e7356aa345c5a285c1343e34d72
-
\ProgramData\aMIlcj.pdfMD5
cda9f24993945f32e0de0c00caa30447
SHA19681e080567a08f86e7aa50e5160d04727dc1041
SHA25651eafaf365d2228a590c97013f4a0b89c0d925715a921523eaaaeedaba7447e9
SHA512bcd636d4bdd2df741745bfaac43a3ba310855264ac40b592d9a320b7e26be023e0363b0d986970500d8f4d164e5dea7e29288e7356aa345c5a285c1343e34d72
-
memory/932-9-0x0000000000000000-mapping.dmp
-
memory/2796-8-0x0000000000000000-mapping.dmp
-
memory/4204-6-0x0000000000000000-mapping.dmp
-
memory/4768-2-0x00007FFAEA620000-0x00007FFAEAC57000-memory.dmpFilesize
6.2MB