Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-12-2020 05:15

General

  • Target

    KMbZKdhI.doc

  • Size

    383KB

  • MD5

    9bcd01e5e8544e3bd39c0594f5407136

  • SHA1

    4b927038a6c86c14a2bbd0019a7b251b9097339f

  • SHA256

    36690bf953192eb205f486a364f788fd75aafa0e119bacb039f2503d4e81d0fa

  • SHA512

    65fa3b3969f05e3d5b95492a3e701f91f741561732679cbe6352eceb8fca759d5cb4c3b087f05afeb0c3bf68825cfb5c259c4e6b577eae059780748bbb85eff8

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KMbZKdhI.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:880
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1380
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2328

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      568d2a921803273fb4bc6c93777ae28f

      SHA1

      42eae39811042e0107260f10f1db0f92e270acfb

      SHA256

      2da5c4e9401d3c04a0fc1a1adff28c1514cf6e282f581cb8dc965649c58e4047

      SHA512

      0979e7c586cf661212c2dfdf1af941e88f15bc1d93dfac60b446b314d4a1dd02ee02fee9290237e4d4dacee56793a44641e1c84bda0a3b735a71ceb347dd049b

    • \Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll
      MD5

      568d2a921803273fb4bc6c93777ae28f

      SHA1

      42eae39811042e0107260f10f1db0f92e270acfb

      SHA256

      2da5c4e9401d3c04a0fc1a1adff28c1514cf6e282f581cb8dc965649c58e4047

      SHA512

      0979e7c586cf661212c2dfdf1af941e88f15bc1d93dfac60b446b314d4a1dd02ee02fee9290237e4d4dacee56793a44641e1c84bda0a3b735a71ceb347dd049b

    • memory/880-2-0x00000131E3F90000-0x00000131E45C7000-memory.dmp
      Filesize

      6MB

    • memory/880-6-0x00000131E3B44000-0x00000131E3BDB000-memory.dmp
      Filesize

      604KB

    • memory/880-7-0x00000131E3B44000-0x00000131E3BDB000-memory.dmp
      Filesize

      604KB

    • memory/1380-8-0x0000000000000000-mapping.dmp
    • memory/1380-9-0x0000000002C00000-0x0000000002C01000-memory.dmp
      Filesize

      4KB

    • memory/1380-10-0x0000000001140000-0x0000000001141000-memory.dmp
      Filesize

      4KB

    • memory/1380-11-0x00000000033E0000-0x00000000033E1000-memory.dmp
      Filesize

      4KB

    • memory/2104-13-0x0000000000000000-mapping.dmp
    • memory/2328-15-0x0000000000000000-mapping.dmp