Analysis
-
max time kernel
138s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 20:15
Static task
static1
Behavioral task
behavioral1
Sample
0112_91448090.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0112_91448090.doc
Resource
win10v20201028
General
-
Target
0112_91448090.doc
-
Size
735KB
-
MD5
6a86a3f2527f8b42089108b78763e3ea
-
SHA1
18d2deff4bd27da46897ea93dace03e7dca71084
-
SHA256
6cd76e8f33a945b51d20b909495bbc613f78151dbea6c3a7a3a235bfd2167cdf
-
SHA512
ba4a3c88140b4f475300a75dc3e15f74a245ad2cfe0285b3ea515bde7ca6d8f87e4d8e6bce8d5ed095cd4660b08bc960fc34e743cb6b4d6f38c744e269168f1e
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1376 988 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 30 512 rundll32.exe 35 512 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 512 rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2116 512 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{11A997A0-82E0-41A7-ACFC-FC2A52288388}\0fiasS.tmp:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 988 WINWORD.EXE 988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
rundll32.exeWerFault.exepid process 512 rundll32.exe 512 rundll32.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe 2116 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2116 WerFault.exe Token: SeBackupPrivilege 2116 WerFault.exe Token: SeDebugPrivilege 2116 WerFault.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 988 WINWORD.EXE 988 WINWORD.EXE 988 WINWORD.EXE 988 WINWORD.EXE 988 WINWORD.EXE 988 WINWORD.EXE 988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
WINWORD.EXErundll32.exedescription pid process target process PID 988 wrote to memory of 3480 988 WINWORD.EXE splwow64.exe PID 988 wrote to memory of 3480 988 WINWORD.EXE splwow64.exe PID 988 wrote to memory of 1376 988 WINWORD.EXE rundll32.exe PID 988 wrote to memory of 1376 988 WINWORD.EXE rundll32.exe PID 1376 wrote to memory of 512 1376 rundll32.exe rundll32.exe PID 1376 wrote to memory of 512 1376 rundll32.exe rundll32.exe PID 1376 wrote to memory of 512 1376 rundll32.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0112_91448090.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dll,DllUnregisterServer3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 13644⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
c2654475646c54ffa05986289fd568d2
SHA192a53864e8b9f9192d0721ed7692232f94b40e78
SHA25600b2312dd63960434d09962ad3e3e7203374421b687658bd3c02f194b172bfe3
SHA512087e71e48bf3e015c0394dea37db5bb551db140302de3409eeac4b6e5253351aa47e57ad95ebcff4d104b583ac81273a9b18dd866bcd3004a22b52e90d8a48cc
-
\Users\Admin\AppData\Roaming\Microsoft\Templates\W0rd.dllMD5
c2654475646c54ffa05986289fd568d2
SHA192a53864e8b9f9192d0721ed7692232f94b40e78
SHA25600b2312dd63960434d09962ad3e3e7203374421b687658bd3c02f194b172bfe3
SHA512087e71e48bf3e015c0394dea37db5bb551db140302de3409eeac4b6e5253351aa47e57ad95ebcff4d104b583ac81273a9b18dd866bcd3004a22b52e90d8a48cc
-
memory/512-7-0x0000000000000000-mapping.dmp
-
memory/988-2-0x00007FFA0F720000-0x00007FFA0FD57000-memory.dmpFilesize
6.2MB
-
memory/1376-5-0x0000000000000000-mapping.dmp
-
memory/2116-9-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3480-3-0x0000000000000000-mapping.dmp
-
memory/3480-4-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB