Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-12-2020 15:51
Static task
static1
Behavioral task
behavioral1
Sample
intelligence 12.15.20.doc
Resource
win7v20201028
General
-
Target
intelligence 12.15.20.doc
-
Size
94KB
-
MD5
cae7a9d8c05bb9e0f6210680d01ace3b
-
SHA1
89bf3e579265b7b743f123b51f0995d482ad7587
-
SHA256
a693c322ccdfcae8ca552dcb1179e483b72719c1f3586acb8c09949c1b71c0df
-
SHA512
f2072b4c22894f83266f0854941cc9d5af2f3f92f8ef003bc49316567ebbe6dbb2052e95cb5367694faffdf0eac9a337e0214ef1b0e3483f63cd72e3c67787b3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1608 1992 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 324 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1992 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE 1992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1992 wrote to memory of 1608 1992 WINWORD.EXE rundll32.exe PID 1608 wrote to memory of 324 1608 rundll32.exe mshta.exe PID 1608 wrote to memory of 324 1608 rundll32.exe mshta.exe PID 1608 wrote to memory of 324 1608 rundll32.exe mshta.exe PID 1608 wrote to memory of 324 1608 rundll32.exe mshta.exe PID 1992 wrote to memory of 328 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 328 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 328 1992 WINWORD.EXE splwow64.exe PID 1992 wrote to memory of 328 1992 WINWORD.EXE splwow64.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe PID 324 wrote to memory of 1844 324 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\intelligence 12.15.20.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aMvl4.pdf,ShowDialogA -r4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
478ad2476fae05ae109845bc5e8165f8
SHA183cdd78c74c5548775c16e187258eccf037ae58e
SHA25695129bba2c036259fa080060421a1379bbb234cb7161004f27276e861236ddfc
SHA51205207941b294f08bb295c26e22e8535571967e17d89e3bc6b27d53ddc20cfcb683168ce0a9372f79815e419b83d657aa1112cadd2025b53dae5326de593324f4
-
\??\c:\programdata\aMvl4.pdfMD5
d7f2a2c51e0899e2279e37bb85869c96
SHA11e370850d9c3dd2c4c69c3b3328a69cded4cc1d4
SHA25619553aca4c518ed878c126c1f1e513e74e4b150774ce69c63b3e9e2fd52adc52
SHA512ff42b1e977ad03a5290962fb7867a5104ad033e21737f16b1f866aba61af08f93b7f8d78e3d5807510be946536c3f4464bf1debd6264412185925eeb465f3d9f
-
memory/324-6-0x0000000000000000-mapping.dmp
-
memory/324-11-0x0000000006B90000-0x0000000006BB3000-memory.dmpFilesize
140KB
-
memory/328-7-0x0000000000000000-mapping.dmp
-
memory/1608-4-0x0000000000000000-mapping.dmp
-
memory/1656-8-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1844-9-0x0000000000000000-mapping.dmp
-
memory/1992-2-0x0000000000534000-0x0000000000537000-memory.dmpFilesize
12KB
-
memory/1992-3-0x00000000004FA000-0x0000000000505000-memory.dmpFilesize
44KB