Analysis
-
max time kernel
136s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:50
Static task
static1
Behavioral task
behavioral1
Sample
commerce ,12.09.2020.doc
Resource
win7v20201028
General
-
Target
commerce ,12.09.2020.doc
-
Size
76KB
-
MD5
e4ed13e9bb520ca239f22b0975635375
-
SHA1
aecceac8f470893170663aff507e9a93581442f8
-
SHA256
79d039cacf9d5c4011b56709c53de1a8be20010484a69d118ac91fcce6f2c253
-
SHA512
b5320be82f5d2ad1e0192ec6cf6f8821162fb997fab329f373d73df51fe35a5ec648eb3495434658f723fb72e6ac20d6ca28c6bd5700aad9afca0956e49fd881
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2412 4020 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 13 188 mshta.exe 29 3636 rundll32.exe 31 3636 rundll32.exe 37 3636 rundll32.exe 39 3636 rundll32.exe 41 3636 rundll32.exe 42 3636 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3636 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4020 WINWORD.EXE 4020 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3636 rundll32.exe 3636 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE 4020 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 4020 wrote to memory of 2412 4020 WINWORD.EXE rundll32.exe PID 4020 wrote to memory of 2412 4020 WINWORD.EXE rundll32.exe PID 2412 wrote to memory of 188 2412 rundll32.exe mshta.exe PID 2412 wrote to memory of 188 2412 rundll32.exe mshta.exe PID 2412 wrote to memory of 188 2412 rundll32.exe mshta.exe PID 188 wrote to memory of 3636 188 mshta.exe rundll32.exe PID 188 wrote to memory of 3636 188 mshta.exe rundll32.exe PID 188 wrote to memory of 3636 188 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce ,12.09.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aFAXy.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
ba3dd20a06e9e33867dc14e3268671a9
SHA18cf703ef9ae1ebb3b8f2dc7de2326d984fdb318b
SHA2561f3ceab93354f2360bda3b43d4b97e174160ca50cd3704a1a46869e35e30f362
SHA512552c860b55573d57debe4fc3f07bc8063860c31da55a31daba3779a43c8e6a4137f8978458c0ceee0e979cb9b62a9e4dd85f5e30a7412715e1bf60e238f18473
-
\??\c:\programdata\aFAXy.pdfMD5
c6ed8da09da9d1f3f9fa5fc3f22915ed
SHA13932eb15fcffbac34b27be57ffa4803253bc9b6c
SHA256848b872b7ab9bef9fb0c73f5ee6cceb02a329efbbc38467b878aab8cef2ae65b
SHA5121aef5a1f9f4d5c3df6b94ac848459ff9fc7230664a0bd274bd1947d926bbb49a4ef9dafbee10b478ca25e67232aab12877d0a639c5e34de7a6af27f2d7850fba
-
\ProgramData\aFAXy.pdfMD5
c6ed8da09da9d1f3f9fa5fc3f22915ed
SHA13932eb15fcffbac34b27be57ffa4803253bc9b6c
SHA256848b872b7ab9bef9fb0c73f5ee6cceb02a329efbbc38467b878aab8cef2ae65b
SHA5121aef5a1f9f4d5c3df6b94ac848459ff9fc7230664a0bd274bd1947d926bbb49a4ef9dafbee10b478ca25e67232aab12877d0a639c5e34de7a6af27f2d7850fba
-
memory/188-7-0x0000000000000000-mapping.dmp
-
memory/2412-5-0x0000000000000000-mapping.dmp
-
memory/3636-8-0x0000000000000000-mapping.dmp
-
memory/4020-2-0x00007FFE00290000-0x00007FFE008C7000-memory.dmpFilesize
6.2MB
-
memory/4020-3-0x000001FC96D27000-0x000001FC96D2C000-memory.dmpFilesize
20KB
-
memory/4020-4-0x000001FC96D27000-0x000001FC96D2C000-memory.dmpFilesize
20KB