Analysis
-
max time kernel
136s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:52
Static task
static1
Behavioral task
behavioral1
Sample
require_12.20.doc
Resource
win7v20201028
General
-
Target
require_12.20.doc
-
Size
76KB
-
MD5
fcfbe68394e2b23efc2837eecf3ef1e9
-
SHA1
bed81eff814cc60fda95411479693a21549ed4a5
-
SHA256
70366cc7897ffce122d00bfc52803e9baf22f06e728c9839c0a3d187e77d1229
-
SHA512
7b756fbb1c1cea76eb155bd1a68c26ef27a98a063a47ea2ab182fef8421952d7ee891f300cf2c88728d0480d2762cf98e617a2244616d791dc8bd4428f2dde94
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1108 1036 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 10 900 mshta.exe 25 2060 rundll32.exe 27 2060 rundll32.exe 34 2060 rundll32.exe 36 2060 rundll32.exe 38 2060 rundll32.exe 39 2060 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2060 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2060 rundll32.exe 2060 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 1036 wrote to memory of 1108 1036 WINWORD.EXE rundll32.exe PID 1036 wrote to memory of 1108 1036 WINWORD.EXE rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe mshta.exe PID 1108 wrote to memory of 900 1108 rundll32.exe mshta.exe PID 1108 wrote to memory of 900 1108 rundll32.exe mshta.exe PID 900 wrote to memory of 2060 900 mshta.exe rundll32.exe PID 900 wrote to memory of 2060 900 mshta.exe rundll32.exe PID 900 wrote to memory of 2060 900 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require_12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\amE7F.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
1d0c672803c627fb2d7f454121f0d9a1
SHA11ed482d22de659052fe3ba2b795d94930594d861
SHA2562706ea22f53a820a15450024ca8746d8b119d428599a5a0d57c5e1d795409293
SHA51261a17b8d6daefe48c779d7e16b00608ec6ae0fa8c8ef32806ee1c9e61f9e93419b4195213780afb93cd725dfe753858247885d2969065110bdae87a68665c0a2
-
\??\c:\programdata\amE7F.pdfMD5
89ce0849c216cbe688401f17f83ea77a
SHA11c6619ab2a7f2aa8b28f5bf1c41daa2238f07ae5
SHA25695ec5ba04d79ece6ce21cb30bc624425a98cb3c3f07470fd1269715f10d3a7c5
SHA512bea33bf00c40072f2e6a3b26760caebb3409d2ad93c2b530050d3d78c21f789b86c91145c759df8c73b260fbc79be85871f3df3972916b41591b5ec55387aa8a
-
\ProgramData\amE7F.pdfMD5
89ce0849c216cbe688401f17f83ea77a
SHA11c6619ab2a7f2aa8b28f5bf1c41daa2238f07ae5
SHA25695ec5ba04d79ece6ce21cb30bc624425a98cb3c3f07470fd1269715f10d3a7c5
SHA512bea33bf00c40072f2e6a3b26760caebb3409d2ad93c2b530050d3d78c21f789b86c91145c759df8c73b260fbc79be85871f3df3972916b41591b5ec55387aa8a
-
memory/900-8-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x00007FFC419B0000-0x00007FFC41FE7000-memory.dmpFilesize
6.2MB
-
memory/1036-3-0x000001EC45F7B000-0x000001EC45FE4000-memory.dmpFilesize
420KB
-
memory/1036-4-0x000001EC46082000-0x000001EC46087000-memory.dmpFilesize
20KB
-
memory/1036-5-0x000001EC46082000-0x000001EC46087000-memory.dmpFilesize
20KB
-
memory/1108-6-0x0000000000000000-mapping.dmp
-
memory/2060-9-0x0000000000000000-mapping.dmp