Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-12-2020 14:40
Static task
static1
Behavioral task
behavioral1
Sample
adjure.12.20.doc
Resource
win7v20201028
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3680 732 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
mshta.exerundll32.exeflow pid process 24 2240 mshta.exe 35 2188 rundll32.exe 37 2188 rundll32.exe 39 2188 rundll32.exe 41 2188 rundll32.exe 43 2188 rundll32.exe 45 2188 rundll32.exe 46 2188 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2188 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 732 WINWORD.EXE 732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2188 rundll32.exe 2188 rundll32.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE 732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 732 wrote to memory of 3680 732 WINWORD.EXE rundll32.exe PID 732 wrote to memory of 3680 732 WINWORD.EXE rundll32.exe PID 3680 wrote to memory of 2240 3680 rundll32.exe mshta.exe PID 3680 wrote to memory of 2240 3680 rundll32.exe mshta.exe PID 3680 wrote to memory of 2240 3680 rundll32.exe mshta.exe PID 2240 wrote to memory of 2188 2240 mshta.exe rundll32.exe PID 2240 wrote to memory of 2188 2240 mshta.exe rundll32.exe PID 2240 wrote to memory of 2188 2240 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure.12.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\acaoy9.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
50036f81bece98369a3b0ba4cf6954e4
SHA17d619f79bff499e543ebda1f2930fbc4136a456a
SHA256756de1442605cc97df5a2ba2ec9c5c4f771a98c68533895a3314939e82977443
SHA5122fe3d8b58db88caeb3b96312aede3c2c97fbc13a49cd04964471d6507af8afdd64408072a6c1da1c2e6e09a390fcd077caa173e3d1da0a86e1892d207a39ba92
-
\??\c:\programdata\acaoy9.pdfMD5
1d50e38eb03b9d537509ea797ef67d42
SHA1293475cc3ca5651e6d299bd90d9c6f7ab7bfc1f7
SHA256dcb36145cc85ac2fc683db8d1901aa2de441b39273edb8d66e749c60e459feef
SHA5120984fd4a7c58324813d6acef4b2d659b3d4ed8612173ceb98e0ca654f46779f2193219107ea5d57eea346b10162660fada633ac49ff0419a47482c70c3a581d0
-
\ProgramData\acaoy9.pdfMD5
1d50e38eb03b9d537509ea797ef67d42
SHA1293475cc3ca5651e6d299bd90d9c6f7ab7bfc1f7
SHA256dcb36145cc85ac2fc683db8d1901aa2de441b39273edb8d66e749c60e459feef
SHA5120984fd4a7c58324813d6acef4b2d659b3d4ed8612173ceb98e0ca654f46779f2193219107ea5d57eea346b10162660fada633ac49ff0419a47482c70c3a581d0
-
memory/732-2-0x00007FF99AF40000-0x00007FF99B577000-memory.dmpFilesize
6.2MB
-
memory/732-3-0x000001D6947FE000-0x000001D69480F000-memory.dmpFilesize
68KB
-
memory/2188-9-0x0000000000000000-mapping.dmp
-
memory/2240-8-0x0000000000000000-mapping.dmp
-
memory/3680-6-0x0000000000000000-mapping.dmp