Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-12-2020 14:11
Static task
static1
Behavioral task
behavioral1
Sample
require 12.20.doc
Resource
win7v20201028
General
-
Target
require 12.20.doc
-
Size
94KB
-
MD5
b3218a9b099653d0ebc1db27aa505fc5
-
SHA1
74a58b762eb0dd09e0b0cd310a21e05406b1e731
-
SHA256
999e7814917b82aa383ba96826af8ea3dca9d9e5fb67c04cc042b1ebf060e83f
-
SHA512
af650b58058375418e8f8cf97617c341c119bdf440a76881fa3720303f9fd820b96987de0f48e654544a95aea0ac86a63fa4587d9e2f60e069e945a6757cc8da
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1964 932 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1796 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 932 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE 932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 932 wrote to memory of 1964 932 WINWORD.EXE rundll32.exe PID 1964 wrote to memory of 1796 1964 rundll32.exe mshta.exe PID 1964 wrote to memory of 1796 1964 rundll32.exe mshta.exe PID 1964 wrote to memory of 1796 1964 rundll32.exe mshta.exe PID 1964 wrote to memory of 1796 1964 rundll32.exe mshta.exe PID 932 wrote to memory of 1304 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1304 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1304 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1304 932 WINWORD.EXE splwow64.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe PID 1796 wrote to memory of 1632 1796 mshta.exe rundll32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require 12.20.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aMvl4.pdf,ShowDialogA -r4⤵
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
478ad2476fae05ae109845bc5e8165f8
SHA183cdd78c74c5548775c16e187258eccf037ae58e
SHA25695129bba2c036259fa080060421a1379bbb234cb7161004f27276e861236ddfc
SHA51205207941b294f08bb295c26e22e8535571967e17d89e3bc6b27d53ddc20cfcb683168ce0a9372f79815e419b83d657aa1112cadd2025b53dae5326de593324f4
-
\??\c:\programdata\aMvl4.pdfMD5
d7f2a2c51e0899e2279e37bb85869c96
SHA11e370850d9c3dd2c4c69c3b3328a69cded4cc1d4
SHA25619553aca4c518ed878c126c1f1e513e74e4b150774ce69c63b3e9e2fd52adc52
SHA512ff42b1e977ad03a5290962fb7867a5104ad033e21737f16b1f866aba61af08f93b7f8d78e3d5807510be946536c3f4464bf1debd6264412185925eeb465f3d9f
-
memory/932-2-0x000000000034E000-0x0000000000357000-memory.dmpFilesize
36KB
-
memory/932-3-0x0000000000378000-0x000000000037B000-memory.dmpFilesize
12KB
-
memory/1136-8-0x000007FEF6400000-0x000007FEF667A000-memory.dmpFilesize
2.5MB
-
memory/1304-7-0x0000000000000000-mapping.dmp
-
memory/1632-9-0x0000000000000000-mapping.dmp
-
memory/1796-6-0x0000000000000000-mapping.dmp
-
memory/1796-11-0x0000000005FB0000-0x0000000005FD3000-memory.dmpFilesize
140KB
-
memory/1964-4-0x0000000000000000-mapping.dmp