Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-12-2020 03:55
Static task
static1
Behavioral task
behavioral1
Sample
legal paper 12.20.doc
Resource
win7v20201028
General
-
Target
legal paper 12.20.doc
-
Size
91KB
-
MD5
af4aae598fca3fb06d8fc8a71e52b949
-
SHA1
984376a9eda44cdd26014e69870aef6c3d54606f
-
SHA256
22ade5dbd3fb6a4d10a8b2f177e85d86672dbd3c8c2863815d8f774388750362
-
SHA512
4332368ff6c49ea1dacc278f5d933c8b51b8f75719649631db3f3713bf2513a35638d3bd5ac78b8be9badd8b12628749689f05d7e1a6fdd9685b54cf6d198149
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2604 648 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 7 IoCs
Processes:
mshta.exerundll32.exeflow pid process 21 1156 mshta.exe 26 3932 rundll32.exe 28 3932 rundll32.exe 30 3932 rundll32.exe 32 3932 rundll32.exe 34 3932 rundll32.exe 36 3932 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3932 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE 648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3932 rundll32.exe 3932 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE 648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 648 wrote to memory of 2604 648 WINWORD.EXE rundll32.exe PID 648 wrote to memory of 2604 648 WINWORD.EXE rundll32.exe PID 2604 wrote to memory of 1156 2604 rundll32.exe mshta.exe PID 2604 wrote to memory of 1156 2604 rundll32.exe mshta.exe PID 2604 wrote to memory of 1156 2604 rundll32.exe mshta.exe PID 1156 wrote to memory of 3932 1156 mshta.exe rundll32.exe PID 1156 wrote to memory of 3932 1156 mshta.exe rundll32.exe PID 1156 wrote to memory of 3932 1156 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper 12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aTX4l.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
ec0f5514763c7ae11c16d83a463d4a07
SHA1ed61425b573626e248f8c8cce2975178f49fac5e
SHA25642943873febe7b152b2e7ecc0bef232f5143b55c11934e2f07af025b30e5d719
SHA512b96a077f01a836cff4af3ad2d30e6bf9b7f9e921aa17163d8b1c53b95d28032be035011b085da4c123e61de8cb5225e55b866edd0805843fed8d5f13431fdb6f
-
\??\c:\programdata\aTX4l.pdfMD5
dff847aecbadb00a7ec9360ba1f7599f
SHA1c9700268c8eb9204a0e693b8ab44b9ade7c5d648
SHA256b6d2b65a8a504da9837046a3f413749312c0d269992a339a886a33728d35b901
SHA5127f0b8d9f566a4fb3a7adff2e74496ec0fcf06d16f7ca27e4280a97886af6c96140495b2b696e3a3199f8a6fe846cb36c105e554e9d0df4ab6e114f4f0a958fdd
-
\ProgramData\aTX4l.pdfMD5
dff847aecbadb00a7ec9360ba1f7599f
SHA1c9700268c8eb9204a0e693b8ab44b9ade7c5d648
SHA256b6d2b65a8a504da9837046a3f413749312c0d269992a339a886a33728d35b901
SHA5127f0b8d9f566a4fb3a7adff2e74496ec0fcf06d16f7ca27e4280a97886af6c96140495b2b696e3a3199f8a6fe846cb36c105e554e9d0df4ab6e114f4f0a958fdd
-
memory/648-2-0x00007FFA2D400000-0x00007FFA2DA37000-memory.dmpFilesize
6.2MB
-
memory/648-4-0x000002612AD13000-0x000002612AD7D000-memory.dmpFilesize
424KB
-
memory/648-5-0x000002612AD13000-0x000002612AD7D000-memory.dmpFilesize
424KB
-
memory/1156-8-0x0000000000000000-mapping.dmp
-
memory/2604-6-0x0000000000000000-mapping.dmp
-
memory/3932-9-0x0000000000000000-mapping.dmp