Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:50
Static task
static1
Behavioral task
behavioral1
Sample
charge-12.20.doc
Resource
win7v20201028
General
-
Target
charge-12.20.doc
-
Size
90KB
-
MD5
76197f6d42cd64acde1972d4a52ae82d
-
SHA1
71654b1ae3657a9f18b97fd7a26cfda4e67b0988
-
SHA256
55d904b83f04acb4118df9b2bd3ebbd44b9553b0aabcfff7b68d674ddb6052cc
-
SHA512
c7f2c95d6f02885403c88f549f14ee8fd8efde905f8b42362857b0c8c9f83e7b4bbe09f7933184f931049aba25d1112bac6fd488f95eebc94b75badc09cf3b8c
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1908 3132 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 25 3276 mshta.exe 32 1656 rundll32.exe 38 1656 rundll32.exe 42 1656 rundll32.exe 44 1656 rundll32.exe 46 1656 rundll32.exe 48 1656 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1656 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3132 WINWORD.EXE 3132 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1656 rundll32.exe 1656 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE 3132 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 3132 wrote to memory of 1908 3132 WINWORD.EXE rundll32.exe PID 3132 wrote to memory of 1908 3132 WINWORD.EXE rundll32.exe PID 1908 wrote to memory of 3276 1908 rundll32.exe mshta.exe PID 1908 wrote to memory of 3276 1908 rundll32.exe mshta.exe PID 1908 wrote to memory of 3276 1908 rundll32.exe mshta.exe PID 3276 wrote to memory of 1656 3276 mshta.exe rundll32.exe PID 3276 wrote to memory of 1656 3276 mshta.exe rundll32.exe PID 3276 wrote to memory of 1656 3276 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\charge-12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\a1ZcUb.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
638f28c4846813aa8a3f3ba8166190d8
SHA159267056de664af22622b0eda64337a18f8d6271
SHA2566dde31588640f1ed817f3fbc3322c18b7d66719d1fcbc5e11a332da006512b66
SHA512a5f357c962ad9f03bd42c7b12fee71c8b51422fdc930cafffabc4fd18e4ec8021021499a1792f655530ddc437a49af5e4721c055c87f221504732a2ff7b7ad95
-
\??\c:\programdata\a1ZcUb.pdfMD5
a1856975dc9d24664781f46c24e92e44
SHA18048f5f1367280bda428ef410f467a69343a486f
SHA25679f7e431b8d3aefdde3155ca9a5c0e91178b5944f61ab78ddb4dedaf85cd8c1a
SHA51245961465ebd175b25dcbbe6a4a82344ffe4221ab81bf0858769a10b809d791e5ea6bd50e4d5f31e991547dba24c798c7674387a4cf9c50478205740a28f9b513
-
\ProgramData\a1ZcUb.pdfMD5
a1856975dc9d24664781f46c24e92e44
SHA18048f5f1367280bda428ef410f467a69343a486f
SHA25679f7e431b8d3aefdde3155ca9a5c0e91178b5944f61ab78ddb4dedaf85cd8c1a
SHA51245961465ebd175b25dcbbe6a4a82344ffe4221ab81bf0858769a10b809d791e5ea6bd50e4d5f31e991547dba24c798c7674387a4cf9c50478205740a28f9b513
-
memory/1656-9-0x0000000000000000-mapping.dmp
-
memory/1908-6-0x0000000000000000-mapping.dmp
-
memory/3132-2-0x0000015663E50000-0x0000015664487000-memory.dmpFilesize
6.2MB
-
memory/3276-8-0x0000000000000000-mapping.dmp