8bcf45c2de07f322b8efb959e3cef38fb9983fdb8b932c527321fd3db5e444c8

General

Target

0112_1005636132.doc
Size

735KB
MD5

5773e90313ac82d4a3a2174260e486da
SHA1

4e40fbd0b04aee9b1c0f0daeb61e3f3879870cd5
SHA256

8bcf45c2de07f322b8efb959e3cef38fb9983fdb8b932c527321fd3db5e444c8
SHA512

b34dc85f0b44753e0291e429ef0d5ca5ab92f291fd3d49b8dca82053b56898e56d1be8bb9375436ffeb32a8298ff8de2d25d86fbab01a7e09c2dddea34acdf4a

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4036	508	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

36 1312 rundll32.exe
38 1312 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1312 rundll32.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2832 1312 WerFault.exe rundll32.exe

flow	pid	process
36	1312	rundll32.exe
38	1312	rundll32.exe

flow	ioc
33	api.ipify.org

pid	pid_target	process	target process
2832	1312	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{FF803191-260F-4862-A94E-D9183A63813A}\0fiasS.tmp:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

508 WINWORD.EXE
508 WINWORD.EXE

pid	process
508	WINWORD.EXE
508	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exeWerFault.exe

pid	process
1312	rundll32.exe
1312	rundll32.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe
2832	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2832 WerFault.exe
Token: SeBackupPrivilege 2832 WerFault.exe
Token: SeDebugPrivilege 2832 WerFault.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE
508 WINWORD.EXE

description	pid	process
Token: SeRestorePrivilege	2832	WerFault.exe
Token: SeBackupPrivilege	2832	WerFault.exe
Token: SeDebugPrivilege	2832	WerFault.exe

pid	process
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE
508	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 508 wrote to memory of 3724	508	WINWORD.EXE	splwow64.exe
PID 508 wrote to memory of 3724	508	WINWORD.EXE	splwow64.exe
PID 508 wrote to memory of 4036	508	WINWORD.EXE	rundll32.exe
PID 508 wrote to memory of 4036	508	WINWORD.EXE	rundll32.exe
PID 4036 wrote to memory of 1312	4036	rundll32.exe	rundll32.exe
PID 4036 wrote to memory of 1312	4036	rundll32.exe	rundll32.exe
PID 4036 wrote to memory of 1312	4036	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0112_1005636132.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3724

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1356
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll

MD5
9ad6611f57f355f29b6cb07035d72c6b

SHA1
bb9c38db77b96282ee2c9a06b59fb6350730bfc2

SHA256
cdcd5ee8b80d3a3863e0c55d4af5384522144011b071d00c9c71ae009305f130

SHA512
b371568f23b4e89b4f6cf91b8a42bae917a790a08e0b428b9fc114b902581b3f744521cfdc2dea8ad3a728ba45153c57e821d37e0744d6cb50dcaceea4e6817d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll

MD5
9ad6611f57f355f29b6cb07035d72c6b

SHA1
bb9c38db77b96282ee2c9a06b59fb6350730bfc2

SHA256
cdcd5ee8b80d3a3863e0c55d4af5384522144011b071d00c9c71ae009305f130

SHA512
b371568f23b4e89b4f6cf91b8a42bae917a790a08e0b428b9fc114b902581b3f744521cfdc2dea8ad3a728ba45153c57e821d37e0744d6cb50dcaceea4e6817d

Download Submit
memory/508-2-0x000001381F440000-0x000001381FA77000-memory.dmp

Filesize
6.2MB

Download
memory/1312-7-0x0000000000000000-mapping.dmp

Download
memory/2832-9-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/3724-3-0x0000000000000000-mapping.dmp

Download
memory/3724-4-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/4036-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads