Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:51
Static task
static1
Behavioral task
behavioral1
Sample
input-12.20.doc
Resource
win7v20201028
General
-
Target
input-12.20.doc
-
Size
90KB
-
MD5
b62c202699132594e5d95bd22c9f3fb8
-
SHA1
f129c898c8c4b893c8e78bd79fc60b460d292e60
-
SHA256
e27ec64bfb5e248f294855366e6cfe5884874a77a9ec5429843c3da37bd0428e
-
SHA512
879eb7b6e73379e73ea72ba3e432c47cf9212c2082605079ebcc143cde2199bccf8f455de7e7decc5c18e4e2262111ead00de717b31e31df322c66d0d634863b
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2724 972 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 18 4092 mshta.exe 26 508 rundll32.exe 30 508 rundll32.exe 35 508 rundll32.exe 37 508 rundll32.exe 39 508 rundll32.exe 40 508 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 508 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 972 WINWORD.EXE 972 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 508 rundll32.exe 508 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE 972 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 972 wrote to memory of 2724 972 WINWORD.EXE rundll32.exe PID 972 wrote to memory of 2724 972 WINWORD.EXE rundll32.exe PID 2724 wrote to memory of 4092 2724 rundll32.exe mshta.exe PID 2724 wrote to memory of 4092 2724 rundll32.exe mshta.exe PID 2724 wrote to memory of 4092 2724 rundll32.exe mshta.exe PID 4092 wrote to memory of 508 4092 mshta.exe rundll32.exe PID 4092 wrote to memory of 508 4092 mshta.exe rundll32.exe PID 4092 wrote to memory of 508 4092 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\input-12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aLtuD.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
2af302fc16fc949ec89af790606ffbda
SHA16ba7d07564848fb24fd9a28f213bb79c03b207ea
SHA2563990b1ead98cd08208bfae8f0caccd8959d4d6035390fdf375d34a15411a8542
SHA512faf7cb8e61aa6b59a7261c0eb7330a10f5d8cc1bb8335bb856e98b92613cb5e4e48616e40bc6739ce1cd1b8a902d9b8c4e68f72f94a8311f6de7d4ca8933d39e
-
\??\c:\programdata\aLtuD.pdfMD5
08801114db495223f7f144cf1f8ed748
SHA1f95297d001d8c37145fc0ab92d07ff82b6cd75cc
SHA256fdddb399e08255aa8644f4025db867da7983c104065a2ce8bbd7089d8be943ec
SHA512e6576cb8af704e1b850b04c17dcc91a632b9031eb005889b5f17253c22c80418571c6b2dd2244cdd2037278ea3638725882c4ec5ef507e3e8d9149965e849cfe
-
\ProgramData\aLtuD.pdfMD5
08801114db495223f7f144cf1f8ed748
SHA1f95297d001d8c37145fc0ab92d07ff82b6cd75cc
SHA256fdddb399e08255aa8644f4025db867da7983c104065a2ce8bbd7089d8be943ec
SHA512e6576cb8af704e1b850b04c17dcc91a632b9031eb005889b5f17253c22c80418571c6b2dd2244cdd2037278ea3638725882c4ec5ef507e3e8d9149965e849cfe
-
memory/508-9-0x0000000000000000-mapping.dmp
-
memory/972-2-0x000001D860250000-0x000001D860887000-memory.dmpFilesize
6.2MB
-
memory/972-3-0x000001D868C6B000-0x000001D868C81000-memory.dmpFilesize
88KB
-
memory/2724-6-0x0000000000000000-mapping.dmp
-
memory/4092-8-0x0000000000000000-mapping.dmp