Analysis
-
max time kernel
300s -
max time network
268s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-12-2020 23:48
Static task
static1
General
-
Target
specifics,12.16.2020.doc
-
Size
92KB
-
MD5
ddf0d9e3d86f7542de8f619f00a7725a
-
SHA1
082ba5b236a3b9a0ae5d8d6a070c3e764792e7f2
-
SHA256
7561a0f5134bf3dbaa34d09f2a20dc01057626e74d7df42072bef06d6bd6ee95
-
SHA512
7daf04c544334ba04c7f0e2b6654fee58ecf85cc4dabd42d9237a72d4d0beb833c4d72dfff9cc2f957b8eb6c68d18dcf4b24d919ca11ee88e24224619301c3d7
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3784 3160 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
mshta.exerundll32.exeflow pid process 14 2004 mshta.exe 30 1172 rundll32.exe 32 1172 rundll32.exe 34 1172 rundll32.exe 36 1172 rundll32.exe 38 1172 rundll32.exe 40 1172 rundll32.exe 42 1172 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1172 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3160 WINWORD.EXE 3160 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1172 rundll32.exe 1172 rundll32.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
WINWORD.EXEpid process 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE 3160 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 3160 wrote to memory of 3784 3160 WINWORD.EXE rundll32.exe PID 3160 wrote to memory of 3784 3160 WINWORD.EXE rundll32.exe PID 3784 wrote to memory of 2004 3784 rundll32.exe mshta.exe PID 3784 wrote to memory of 2004 3784 rundll32.exe mshta.exe PID 3784 wrote to memory of 2004 3784 rundll32.exe mshta.exe PID 2004 wrote to memory of 1172 2004 mshta.exe rundll32.exe PID 2004 wrote to memory of 1172 2004 mshta.exe rundll32.exe PID 2004 wrote to memory of 1172 2004 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\specifics,12.16.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\ah6Q0.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
40c7509a0ef4fd0ef94508819d1d29ac
SHA14842a4ed5b75a445035fc6f800f9166a4e277928
SHA25619349c14b4633c5d1f18d7cafb375e71c7a32862620245bec6b41836fe24aa5a
SHA512539967b7839370d5505eeabb347052e3abd013c44b62c6a0eed81cddb8124acb87576251d43b1fd23f2b4b6e17b0700da76ad80087980ea316d7c33b3f0bc402
-
\??\c:\programdata\ah6Q0.pdfMD5
79aa4d6a89e7d3d19a2a2a889a5bf030
SHA1eaeb14fb7f1b2a9d81a106bf4c8b2c0e1564f8e5
SHA256686fa281df945b9935ead9babca62abf8c6a6e4580ff3d715d60229e61bac517
SHA5124f1b94bbd6d5f2d4729c0a1900548785f11f2f5740b399305f063b4c3d39fed1eb044011b0d383ad225b64d451b06db13f028f5c3ca7df6dcc16520da5f13152
-
\ProgramData\ah6Q0.pdfMD5
79aa4d6a89e7d3d19a2a2a889a5bf030
SHA1eaeb14fb7f1b2a9d81a106bf4c8b2c0e1564f8e5
SHA256686fa281df945b9935ead9babca62abf8c6a6e4580ff3d715d60229e61bac517
SHA5124f1b94bbd6d5f2d4729c0a1900548785f11f2f5740b399305f063b4c3d39fed1eb044011b0d383ad225b64d451b06db13f028f5c3ca7df6dcc16520da5f13152
-
memory/1172-11-0x0000000000000000-mapping.dmp
-
memory/2004-10-0x0000000000000000-mapping.dmp
-
memory/3160-2-0x00007FFFEFBC0000-0x00007FFFF01F7000-memory.dmpFilesize
6.2MB
-
memory/3160-6-0x0000022C5A255000-0x0000022C5A25A000-memory.dmpFilesize
20KB
-
memory/3160-5-0x0000022C5A255000-0x0000022C5A25A000-memory.dmpFilesize
20KB
-
memory/3784-8-0x0000000000000000-mapping.dmp