Analysis
-
max time kernel
136s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:50
Static task
static1
Behavioral task
behavioral1
Sample
charge.12.20.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
charge.12.20.doc
Resource
win10v20201028
General
-
Target
charge.12.20.doc
-
Size
90KB
-
MD5
4757838ce415a0ab23282cb608ef45d5
-
SHA1
fa5ee9b84f35b4dbb8fe426684aedfaaca979134
-
SHA256
40a2ad9eb3f20c7d4378fe86fca0a18f89230aa06d73a99ae2f08a32eccebede
-
SHA512
e867c56a1a12ff67fbcee46d8878f31fc9c3170b3b9efad6118d93c0cb3c5e56201ced7690a204b7e942065c428f079ff8c94e68fb4025daa4d5ab24e4cef61c
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2012 1036 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 12 508 mshta.exe 28 3548 rundll32.exe 30 3548 rundll32.exe 36 3548 rundll32.exe 38 3548 rundll32.exe 40 3548 rundll32.exe 41 3548 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3548 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3548 rundll32.exe 3548 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 1036 wrote to memory of 2012 1036 WINWORD.EXE rundll32.exe PID 1036 wrote to memory of 2012 1036 WINWORD.EXE rundll32.exe PID 2012 wrote to memory of 508 2012 rundll32.exe mshta.exe PID 2012 wrote to memory of 508 2012 rundll32.exe mshta.exe PID 2012 wrote to memory of 508 2012 rundll32.exe mshta.exe PID 508 wrote to memory of 3548 508 mshta.exe rundll32.exe PID 508 wrote to memory of 3548 508 mshta.exe rundll32.exe PID 508 wrote to memory of 3548 508 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\charge.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\a68ZHI.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
38c233c7e7a678300e46b5b6b14ba8c1
SHA1bbd23607bd8248cfe4862f87e0090009ff1ebdc9
SHA256120e6785e11db67b26e44abefbbadf86900dbae78ae815b66b8c75d10e395370
SHA512f707c795b9b375b3960182ed07ea75052ebdc6f10bb8bda0711a32ea6a39fcebd5b9c7f6131c109c1c73458cc557b7f7ccc643da268a81a9feba7ee5b29dda22
-
\??\c:\programdata\a68ZHI.pdfMD5
570ae4538db42e12a48736413aee4ab4
SHA18fdc4b3f4f49eacf85c0a878e584c51d6972045d
SHA256d407c1e5646f7ab99cb9b0cf047398ffce10b0d98863e25c11bfa7e69d933435
SHA512c9a4442588b45de1be0f6afdf44da610c18308a66a9e86e34a59fd7f9129b507c5999a7d3abb463e1817df9be9a0a1ceda57998d96e92bbd401b1cf2c246caec
-
\ProgramData\a68ZHI.pdfMD5
570ae4538db42e12a48736413aee4ab4
SHA18fdc4b3f4f49eacf85c0a878e584c51d6972045d
SHA256d407c1e5646f7ab99cb9b0cf047398ffce10b0d98863e25c11bfa7e69d933435
SHA512c9a4442588b45de1be0f6afdf44da610c18308a66a9e86e34a59fd7f9129b507c5999a7d3abb463e1817df9be9a0a1ceda57998d96e92bbd401b1cf2c246caec
-
memory/508-9-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x000002616D720000-0x000002616DD57000-memory.dmpFilesize
6.2MB
-
memory/2012-7-0x0000000000000000-mapping.dmp
-
memory/3548-10-0x0000000000000000-mapping.dmp