Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-12-2020 12:26
Static task
static1
Behavioral task
behavioral1
Sample
files 12.17.2020.doc
Resource
win7v20201028
General
-
Target
files 12.17.2020.doc
-
Size
59KB
-
MD5
2a631559ef534a0d256692408ab51bcf
-
SHA1
3d3e0e6d1daa2fa91ac2c4b7cb3c98cbfd4913f7
-
SHA256
f22d8e42dffd3328fd01c0eb8ad2a8872d8cb104f0be67f1bcf37e3b1b29c382
-
SHA512
3546fa4229e55d0201d744f751bd9c53b18a5c51f45704e7a5056857493098d5c3b95f4e4236442289c4b240fed61ae76318aa91f1b0b8739512cb921a8f39c9
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2748 2604 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 28 588 rundll32.exe 34 588 rundll32.exe 36 588 rundll32.exe 38 588 rundll32.exe 40 588 rundll32.exe 42 588 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 588 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 588 rundll32.exe 588 rundll32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 2604 wrote to memory of 2748 2604 WINWORD.EXE rundll32.exe PID 2604 wrote to memory of 2748 2604 WINWORD.EXE rundll32.exe PID 2748 wrote to memory of 588 2748 rundll32.exe rundll32.exe PID 2748 wrote to memory of 588 2748 rundll32.exe rundll32.exe PID 2748 wrote to memory of 588 2748 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files 12.17.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 c:\programdata\MOxIZ.pdf,ShowDialogA -r2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 c:\programdata\MOxIZ.pdf,ShowDialogA -r3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\programdata\MOxIZ.pdfMD5
c0ad5ddda0245780ba0d36babdedb526
SHA1d3c8e9f0733bd9bf8ecc608179e9e99d6dc7c0cf
SHA256446d4e7ac760e88162f625a1644ec5ce561ab24fa473f2f232bd7bf73502b63c
SHA51293a4d1951e16d8584f9b42ed68de945fca23491798fc359b367c78075aae734d028e536558de5c2b26424da6216cad9162ed82e8ec5f23a4af136666d22f53d5
-
\ProgramData\MOxIZ.pdfMD5
c0ad5ddda0245780ba0d36babdedb526
SHA1d3c8e9f0733bd9bf8ecc608179e9e99d6dc7c0cf
SHA256446d4e7ac760e88162f625a1644ec5ce561ab24fa473f2f232bd7bf73502b63c
SHA51293a4d1951e16d8584f9b42ed68de945fca23491798fc359b367c78075aae734d028e536558de5c2b26424da6216cad9162ed82e8ec5f23a4af136666d22f53d5
-
memory/588-10-0x0000000000000000-mapping.dmp
-
memory/2604-2-0x000001BEAF1A0000-0x000001BEAF7D7000-memory.dmpFilesize
6.2MB
-
memory/2604-12-0x00007FF894DD0000-0x00007FF8978F3000-memory.dmpFilesize
43.1MB
-
memory/2604-13-0x00007FF894DD0000-0x00007FF8978F3000-memory.dmpFilesize
43.1MB
-
memory/2748-8-0x0000000000000000-mapping.dmp