Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-12-2020 18:19
Static task
static1
Behavioral task
behavioral1
Sample
statistics.12.20.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
statistics.12.20.doc
Resource
win10v20201028
General
-
Target
statistics.12.20.doc
-
Size
83KB
-
MD5
3132824fb649bb9358abffdc67542593
-
SHA1
a1bd53255b81a3dc7d3be1a2ca87522cbd758431
-
SHA256
785e7a1f4e7d48efff95dd5d5574d7326845e67ccf3dc9b4dd228d25246ba933
-
SHA512
04a8970679c9dc7d9732278cbb1f722c52ac2576c3b949a44e76d57cdc46068466fa2f5e1498dfbe1474bc7d036120459a4096bb69615657e3df9b20f55dfd5f
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1532 576 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 29 2204 rundll32.exe 31 2204 rundll32.exe 33 2204 rundll32.exe 35 2204 rundll32.exe 37 2204 rundll32.exe 39 2204 rundll32.exe 41 2204 rundll32.exe 43 2204 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2204 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2204 rundll32.exe 2204 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 576 wrote to memory of 1532 576 WINWORD.EXE rundll32.exe PID 576 wrote to memory of 1532 576 WINWORD.EXE rundll32.exe PID 1532 wrote to memory of 2204 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 2204 1532 rundll32.exe rundll32.exe PID 1532 wrote to memory of 2204 1532 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\statistics.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\programdata\iwqOx.pdf,ShowDialogA -r2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\programdata\iwqOx.pdf,ShowDialogA -r3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\iwqOx.pdfMD5
8f346905de2448acdaa852abe048edf4
SHA1ec05425496016bc337b671ec682c2780fdd8f8d8
SHA2568a18bfcc126278cc95b6859c1557018d3c979be08c460a8099b33a847713d414
SHA5129ed34388b3223a38157b1a789279b25f8e11a17f5e45373f42268de7018285c6ca15ed798d11ab0b06d0924191462b2b3e4edfdcb3d824a4d41104dfc422f390
-
\ProgramData\iwqOx.pdfMD5
8f346905de2448acdaa852abe048edf4
SHA1ec05425496016bc337b671ec682c2780fdd8f8d8
SHA2568a18bfcc126278cc95b6859c1557018d3c979be08c460a8099b33a847713d414
SHA5129ed34388b3223a38157b1a789279b25f8e11a17f5e45373f42268de7018285c6ca15ed798d11ab0b06d0924191462b2b3e4edfdcb3d824a4d41104dfc422f390
-
memory/576-2-0x00007FFE95D50000-0x00007FFE96387000-memory.dmpFilesize
6.2MB
-
memory/1532-9-0x0000000000000000-mapping.dmp
-
memory/2204-11-0x0000000000000000-mapping.dmp