Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-12-2020 18:06
Static task
static1
Behavioral task
behavioral1
Sample
enjoin,12.15.2020.doc
Resource
win7v20201028
General
-
Target
enjoin,12.15.2020.doc
-
Size
95KB
-
MD5
833181d6dc9faf97302fe055e4d70799
-
SHA1
0ce9dabffe93625a44751507355b719806d81d2b
-
SHA256
47220270d007200cdf76e9867245320ead29976e15ab5e164d9babe8ac04bea0
-
SHA512
a4f30b2203751528b4c3577549235de15d81c39b31f58825ee5117220d6d3fd7e7478c6c33ff7a0e3cf5495b2fd0a1bff611dbf4f086849f9a1c4dc3cc610de2
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2724 728 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exerundll32.exeflow pid process 26 1328 mshta.exe 29 2428 rundll32.exe 33 2428 rundll32.exe 35 2428 rundll32.exe 39 2428 rundll32.exe 40 2428 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 728 WINWORD.EXE 728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2428 rundll32.exe 2428 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE 728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 728 wrote to memory of 2724 728 WINWORD.EXE rundll32.exe PID 728 wrote to memory of 2724 728 WINWORD.EXE rundll32.exe PID 2724 wrote to memory of 1328 2724 rundll32.exe mshta.exe PID 2724 wrote to memory of 1328 2724 rundll32.exe mshta.exe PID 2724 wrote to memory of 1328 2724 rundll32.exe mshta.exe PID 1328 wrote to memory of 2428 1328 mshta.exe rundll32.exe PID 1328 wrote to memory of 2428 1328 mshta.exe rundll32.exe PID 1328 wrote to memory of 2428 1328 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\enjoin,12.15.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\atdyl.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
8e92bf0befd2c2434f6afbaf95acb8bf
SHA11d06bcaf7d578a3353736fa62cbf17c1f7d8acc9
SHA256fb1865b72c9d95a3f4c72cc356fb34f2e2de10ae313f64ebd98b72327bda5365
SHA512977657cf814ec2d79d3b0dfd475079f122dd8fab3c793cccc2624d7c0ca6388e4c7185f73703783af9aac966d652097d2ea855a932e4a3ac7fb4f6c1b7808704
-
\??\c:\programdata\atdyl.pdfMD5
8106e36bfe9eed6ef14b5caad2ad046e
SHA13bf0f24f3167dd7aeae1cb91d7ea40e5dfe1074f
SHA256bc060abf8b106ee5e3906c961e75a87fa1e95e5fb0da3003a24dcb719e616b80
SHA5127a828d3813d16a3101177b9a7140dd720cc5b65e706942f99f12660803451228fbee718b59a39fd82694da7157266eda7e88e15e982015524115f9c0e9147623
-
\ProgramData\atdyl.pdfMD5
8106e36bfe9eed6ef14b5caad2ad046e
SHA13bf0f24f3167dd7aeae1cb91d7ea40e5dfe1074f
SHA256bc060abf8b106ee5e3906c961e75a87fa1e95e5fb0da3003a24dcb719e616b80
SHA5127a828d3813d16a3101177b9a7140dd720cc5b65e706942f99f12660803451228fbee718b59a39fd82694da7157266eda7e88e15e982015524115f9c0e9147623
-
memory/728-2-0x00007FF99AF40000-0x00007FF99B577000-memory.dmpFilesize
6.2MB
-
memory/728-3-0x0000010F58FA8000-0x0000010F58FAB000-memory.dmpFilesize
12KB
-
memory/728-4-0x0000010F58FA8000-0x0000010F58FAB000-memory.dmpFilesize
12KB
-
memory/728-5-0x0000010F58FAB000-0x0000010F58FB2000-memory.dmpFilesize
28KB
-
memory/1328-8-0x0000000000000000-mapping.dmp
-
memory/2428-9-0x0000000000000000-mapping.dmp
-
memory/2724-6-0x0000000000000000-mapping.dmp