Analysis
-
max time kernel
137s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-12-2020 01:51
Static task
static1
Behavioral task
behavioral1
Sample
official paper.12.20.doc
Resource
win7v20201028
General
-
Target
official paper.12.20.doc
-
Size
77KB
-
MD5
1b1b78aed0518d2608786b0c0a5af9ef
-
SHA1
472a23c627100d627c8f98bde78a5bd28bcb2545
-
SHA256
34ff76103583c35bebe706f721e1e692a7c34b226eb32fa96de9dcd4c8db7ddc
-
SHA512
17b041223b618ba08f4f504bd43bff2bc4c6044eea86f5c17c5c1448e643ccccd56e2da8780ea91b21205dcd22aa4749a31216676b6943cf6903c3cb4dec4002
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1008 4092 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 13 752 mshta.exe 28 1872 rundll32.exe 30 1872 rundll32.exe 36 1872 rundll32.exe 38 1872 rundll32.exe 40 1872 rundll32.exe 41 1872 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1872 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1872 rundll32.exe 1872 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 4092 wrote to memory of 1008 4092 WINWORD.EXE rundll32.exe PID 4092 wrote to memory of 1008 4092 WINWORD.EXE rundll32.exe PID 1008 wrote to memory of 752 1008 rundll32.exe mshta.exe PID 1008 wrote to memory of 752 1008 rundll32.exe mshta.exe PID 1008 wrote to memory of 752 1008 rundll32.exe mshta.exe PID 752 wrote to memory of 1872 752 mshta.exe rundll32.exe PID 752 wrote to memory of 1872 752 mshta.exe rundll32.exe PID 752 wrote to memory of 1872 752 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\official paper.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\arm2sL.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
cdb6cd41f190c13a1be598a9bf6c596f
SHA10ff0df401737d017d6c3c191e7e563626b3cedb4
SHA2561b0f0e64d14ab36096bce932480f7e3e4357479641a75cf7c35bbbaa6590c4b4
SHA512dd0ce2e64e8f5158dd3bcb04f0e935a4f7ec65541b1c79744a7354c247fa0c446c05988bc399933bcff72d658971238705c2e4001a964a663f2c1c88f4715b6d
-
\??\c:\programdata\arm2sL.pdfMD5
f95dc82fd1ca58390a6139a3d24bc165
SHA1d1cc0401e6f5be4de588f3ad8eff28b9d41d70c0
SHA2564e8c0e221758786fff06cc9b560be681ba10facb05e47c1eb4492b19a0cc441a
SHA512d8a1172f432652afa863cf8013a012c88598e3ca9d0971f8a6549c79f0449fc04db1d7a436ed95b6e8bd4ad5fc9e1d5c26dd417903ea5621c6b5a08a628b698f
-
\ProgramData\arm2sL.pdfMD5
f95dc82fd1ca58390a6139a3d24bc165
SHA1d1cc0401e6f5be4de588f3ad8eff28b9d41d70c0
SHA2564e8c0e221758786fff06cc9b560be681ba10facb05e47c1eb4492b19a0cc441a
SHA512d8a1172f432652afa863cf8013a012c88598e3ca9d0971f8a6549c79f0449fc04db1d7a436ed95b6e8bd4ad5fc9e1d5c26dd417903ea5621c6b5a08a628b698f
-
memory/752-7-0x0000000000000000-mapping.dmp
-
memory/1008-5-0x0000000000000000-mapping.dmp
-
memory/1872-8-0x0000000000000000-mapping.dmp
-
memory/4092-2-0x00007FFFCB550000-0x00007FFFCBB87000-memory.dmpFilesize
6.2MB
-
memory/4092-3-0x0000023009670000-0x0000023009675000-memory.dmpFilesize
20KB
-
memory/4092-4-0x0000023009675000-0x000002300967A000-memory.dmpFilesize
20KB