Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-12-2020 05:15
Static task
static1
Behavioral task
behavioral1
Sample
KMbZKdhI.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KMbZKdhI.doc
Resource
win10v20201028
General
-
Target
KMbZKdhI.doc
-
Size
383KB
-
MD5
9bcd01e5e8544e3bd39c0594f5407136
-
SHA1
4b927038a6c86c14a2bbd0019a7b251b9097339f
-
SHA256
36690bf953192eb205f486a364f788fd75aafa0e119bacb039f2503d4e81d0fa
-
SHA512
65fa3b3969f05e3d5b95492a3e701f91f741561732679cbe6352eceb8fca759d5cb4c3b087f05afeb0c3bf68825cfb5c259c4e6b577eae059780748bbb85eff8
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2104 880 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 30 2328 rundll32.exe 32 2328 rundll32.exe 34 2328 rundll32.exe 40 2328 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2328 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{4927171E-5E01-4CC3-B994-B0C36E52B774}\ya.wav:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2328 rundll32.exe 2328 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 880 wrote to memory of 1380 880 WINWORD.EXE splwow64.exe PID 880 wrote to memory of 1380 880 WINWORD.EXE splwow64.exe PID 880 wrote to memory of 2104 880 WINWORD.EXE rundll32.exe PID 880 wrote to memory of 2104 880 WINWORD.EXE rundll32.exe PID 2104 wrote to memory of 2328 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2328 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2328 2104 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KMbZKdhI.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
568d2a921803273fb4bc6c93777ae28f
SHA142eae39811042e0107260f10f1db0f92e270acfb
SHA2562da5c4e9401d3c04a0fc1a1adff28c1514cf6e282f581cb8dc965649c58e4047
SHA5120979e7c586cf661212c2dfdf1af941e88f15bc1d93dfac60b446b314d4a1dd02ee02fee9290237e4d4dacee56793a44641e1c84bda0a3b735a71ceb347dd049b
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
568d2a921803273fb4bc6c93777ae28f
SHA142eae39811042e0107260f10f1db0f92e270acfb
SHA2562da5c4e9401d3c04a0fc1a1adff28c1514cf6e282f581cb8dc965649c58e4047
SHA5120979e7c586cf661212c2dfdf1af941e88f15bc1d93dfac60b446b314d4a1dd02ee02fee9290237e4d4dacee56793a44641e1c84bda0a3b735a71ceb347dd049b
-
memory/880-2-0x00000131E3F90000-0x00000131E45C7000-memory.dmpFilesize
6MB
-
memory/880-6-0x00000131E3B44000-0x00000131E3BDB000-memory.dmpFilesize
604KB
-
memory/880-7-0x00000131E3B44000-0x00000131E3BDB000-memory.dmpFilesize
604KB
-
memory/1380-8-0x0000000000000000-mapping.dmp
-
memory/1380-9-0x0000000002C00000-0x0000000002C01000-memory.dmpFilesize
4KB
-
memory/1380-10-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/1380-11-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/2104-13-0x0000000000000000-mapping.dmp
-
memory/2328-15-0x0000000000000000-mapping.dmp