Analysis
-
max time kernel
137s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 18:19
Static task
static1
Behavioral task
behavioral1
Sample
instrument indenture,12.11.2020.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
instrument indenture,12.11.2020.doc
Resource
win10v20201028
General
-
Target
instrument indenture,12.11.2020.doc
-
Size
83KB
-
MD5
25f8d256895690c4cd673f36f3782a45
-
SHA1
7be15c189e2fb7552c832a81fcf5dd67c4b5bf7d
-
SHA256
4f423d4ab78a5201862d4a04c294f33bd6e01df2bf8d1c38053e3e099723496d
-
SHA512
1be3cb372e347ae0a03a03fac858a2417e9d15fdddd7fa48d1c1e60e56ea2f12560b0e9374e39a25807d0892ef7057dccfda5406a01f89b767983cd843d61d51
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1264 3576 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 30 2732 rundll32.exe 32 2732 rundll32.exe 34 2732 rundll32.exe 36 2732 rundll32.exe 38 2732 rundll32.exe 40 2732 rundll32.exe 45 2732 rundll32.exe 46 2732 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2732 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3576 WINWORD.EXE 3576 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2732 rundll32.exe 2732 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 3576 wrote to memory of 1264 3576 WINWORD.EXE rundll32.exe PID 3576 wrote to memory of 1264 3576 WINWORD.EXE rundll32.exe PID 1264 wrote to memory of 2732 1264 rundll32.exe rundll32.exe PID 1264 wrote to memory of 2732 1264 rundll32.exe rundll32.exe PID 1264 wrote to memory of 2732 1264 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instrument indenture,12.11.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\programdata\iwqOx.pdf,ShowDialogA -r2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\programdata\iwqOx.pdf,ShowDialogA -r3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\iwqOx.pdfMD5
8f346905de2448acdaa852abe048edf4
SHA1ec05425496016bc337b671ec682c2780fdd8f8d8
SHA2568a18bfcc126278cc95b6859c1557018d3c979be08c460a8099b33a847713d414
SHA5129ed34388b3223a38157b1a789279b25f8e11a17f5e45373f42268de7018285c6ca15ed798d11ab0b06d0924191462b2b3e4edfdcb3d824a4d41104dfc422f390
-
\ProgramData\iwqOx.pdfMD5
8f346905de2448acdaa852abe048edf4
SHA1ec05425496016bc337b671ec682c2780fdd8f8d8
SHA2568a18bfcc126278cc95b6859c1557018d3c979be08c460a8099b33a847713d414
SHA5129ed34388b3223a38157b1a789279b25f8e11a17f5e45373f42268de7018285c6ca15ed798d11ab0b06d0924191462b2b3e4edfdcb3d824a4d41104dfc422f390
-
memory/1264-8-0x0000000000000000-mapping.dmp
-
memory/2732-10-0x0000000000000000-mapping.dmp
-
memory/3576-2-0x00000147C09F0000-0x00000147C1027000-memory.dmpFilesize
6.2MB