dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95

General

Target

sample1.bin.doc
Size

830KB
MD5

7dbd8ecfada1d39a81a58c9468b91039
SHA1

0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256

dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
SHA512

a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Certutil.exeRundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	1820	Certutil.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1820	Rundll32.exe

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
7	1344	rundll32.exe
9	1344	rundll32.exe
11	1344	rundll32.exe
13	1344	rundll32.exe
15	1344	rundll32.exe
17	1344	rundll32.exe
19	1344	rundll32.exe
21	1344	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

tmp_e473b4.exe

pid process

2020 tmp_e473b4.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

1344 rundll32.exe
1344 rundll32.exe
1344 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
2020	tmp_e473b4.exe

pid	process
1344	rundll32.exe
1344	rundll32.exe
1344	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1204 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEtmp_e473b4.exe

pid process

1204 WINWORD.EXE
1204 WINWORD.EXE
2020 tmp_e473b4.exe

pid	process
1204	WINWORD.EXE

pid	process
1204	WINWORD.EXE
1204	WINWORD.EXE
2020	tmp_e473b4.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXERundll32.exerundll32.exe

description	pid	process	target process
PID 1204 wrote to memory of 1240	1204	WINWORD.EXE	splwow64.exe
PID 1204 wrote to memory of 1240	1204	WINWORD.EXE	splwow64.exe
PID 1204 wrote to memory of 1240	1204	WINWORD.EXE	splwow64.exe
PID 1204 wrote to memory of 1240	1204	WINWORD.EXE	splwow64.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 1344	1228	Rundll32.exe	rundll32.exe
PID 1344 wrote to memory of 2020	1344	rundll32.exe	tmp_e473b4.exe
PID 1344 wrote to memory of 2020	1344	rundll32.exe	tmp_e473b4.exe
PID 1344 wrote to memory of 2020	1344	rundll32.exe	tmp_e473b4.exe
PID 1344 wrote to memory of 2020	1344	rundll32.exe	tmp_e473b4.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample1.bin.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1240

C:\Windows\system32\Certutil.exe
Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
1⤵
- Process spawned unexpected child process
PID:296

C:\Windows\system32\Rundll32.exe
Rundll32 C:\Users\Public\Ksh1.pdf,In
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\rundll32.exe
Rundll32 C:\Users\Public\Ksh1.pdf,In
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\tmp_e473b4.exe
C:\Users\Admin\AppData\Local\Temp/tmp_e473b4.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp_e473b4.exe
MD5
e87553aebac0bf74d165a87321c629be

SHA1
011fe975f5e1bb070856ea28525053f6e2d36897

SHA256
9f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7

SHA512
259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a

Download Submit
C:\Users\Public\Ksh1.pdf
MD5
706ea7f029e6bc4dbf845db3366f9a0e

SHA1
942443dfb8784066523db761886115e08c99575f

SHA256
fb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800ac

SHA512
036d5de7e732302ef81989fba62abb1375119fc8141748d6548ed2310e95bdc07468ada5cbf06c4f721b2b95caf51e3267d4ef6db2a2031cf5c8b2abee1c15a3

Download Submit
C:\Users\Public\Ksh1.xls
MD5
d631ab4ceff199b52ff4e4b7aad0199d

SHA1
f30002c31bf32184507182100942a2012f0b8703

SHA256
9de083f693c144a38d697089f6560a2efe81b1ad1c5385ec07d6b41bb54b8ffe

SHA512
56b3941cd93658f7df8976213e2dfd5cb74e7abb651ad26fda9b7191e675e03289366b32eedf68d139562a88dbbae2589fda8abbdb756c43e2e605863459a162

Download Submit
\Users\Admin\AppData\Local\Temp\tmp_e473b4.exe
MD5
e87553aebac0bf74d165a87321c629be

SHA1
011fe975f5e1bb070856ea28525053f6e2d36897

SHA256
9f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7

SHA512
259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp_e473b4.exe
MD5
e87553aebac0bf74d165a87321c629be

SHA1
011fe975f5e1bb070856ea28525053f6e2d36897

SHA256
9f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7

SHA512
259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a

Download Submit
\Users\Public\Ksh1.pdf
MD5
706ea7f029e6bc4dbf845db3366f9a0e

SHA1
942443dfb8784066523db761886115e08c99575f

SHA256
fb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800ac

SHA512
036d5de7e732302ef81989fba62abb1375119fc8141748d6548ed2310e95bdc07468ada5cbf06c4f721b2b95caf51e3267d4ef6db2a2031cf5c8b2abee1c15a3

Download Submit
memory/1240-2-0x0000000000000000-mapping.dmp

Download
memory/1344-6-0x0000000000000000-mapping.dmp

Download
memory/1680-3-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/2020-10-0x0000000000000000-mapping.dmp

Download
memory/2020-14-0x0000000002A70000-0x0000000002A74000-memory.dmp

Filesize
16KB

Download
memory/2020-15-0x0000000002670000-0x0000000002674000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads