Resubmissions
14-01-2021 11:54
210114-7xa6tfh59x 1014-01-2021 11:48
210114-q634htvf9a 1014-01-2021 01:32
210114-d1g1zn1d22 8Analysis
-
max time kernel
243s -
max time network
240s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 11:54
Static task
static1
Behavioral task
behavioral1
Sample
sample1.bin.doc
Resource
win7v20201028
General
-
Target
sample1.bin.doc
-
Size
830KB
-
MD5
7dbd8ecfada1d39a81a58c9468b91039
-
SHA1
0d21e2742204d1f98f6fcabe0544570fd6857dd3
-
SHA256
dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
-
SHA512
a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Certutil.exeRundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 1820 Certutil.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 1820 Rundll32.exe -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 7 1344 rundll32.exe 9 1344 rundll32.exe 11 1344 rundll32.exe 13 1344 rundll32.exe 15 1344 rundll32.exe 17 1344 rundll32.exe 19 1344 rundll32.exe 21 1344 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp_e473b4.exepid process 2020 tmp_e473b4.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exepid process 1344 rundll32.exe 1344 rundll32.exe 1344 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1204 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEtmp_e473b4.exepid process 1204 WINWORD.EXE 1204 WINWORD.EXE 2020 tmp_e473b4.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WINWORD.EXERundll32.exerundll32.exedescription pid process target process PID 1204 wrote to memory of 1240 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1240 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1240 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1240 1204 WINWORD.EXE splwow64.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1228 wrote to memory of 1344 1228 Rundll32.exe rundll32.exe PID 1344 wrote to memory of 2020 1344 rundll32.exe tmp_e473b4.exe PID 1344 wrote to memory of 2020 1344 rundll32.exe tmp_e473b4.exe PID 1344 wrote to memory of 2020 1344 rundll32.exe tmp_e473b4.exe PID 1344 wrote to memory of 2020 1344 rundll32.exe tmp_e473b4.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample1.bin.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\Certutil.exeCertutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\Rundll32.exeRundll32 C:\Users\Public\Ksh1.pdf,In1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeRundll32 C:\Users\Public\Ksh1.pdf,In2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp_e473b4.exeC:\Users\Admin\AppData\Local\Temp/tmp_e473b4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp_e473b4.exeMD5
e87553aebac0bf74d165a87321c629be
SHA1011fe975f5e1bb070856ea28525053f6e2d36897
SHA2569f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7
SHA512259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a
-
C:\Users\Public\Ksh1.pdfMD5
706ea7f029e6bc4dbf845db3366f9a0e
SHA1942443dfb8784066523db761886115e08c99575f
SHA256fb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800ac
SHA512036d5de7e732302ef81989fba62abb1375119fc8141748d6548ed2310e95bdc07468ada5cbf06c4f721b2b95caf51e3267d4ef6db2a2031cf5c8b2abee1c15a3
-
C:\Users\Public\Ksh1.xlsMD5
d631ab4ceff199b52ff4e4b7aad0199d
SHA1f30002c31bf32184507182100942a2012f0b8703
SHA2569de083f693c144a38d697089f6560a2efe81b1ad1c5385ec07d6b41bb54b8ffe
SHA51256b3941cd93658f7df8976213e2dfd5cb74e7abb651ad26fda9b7191e675e03289366b32eedf68d139562a88dbbae2589fda8abbdb756c43e2e605863459a162
-
\Users\Admin\AppData\Local\Temp\tmp_e473b4.exeMD5
e87553aebac0bf74d165a87321c629be
SHA1011fe975f5e1bb070856ea28525053f6e2d36897
SHA2569f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7
SHA512259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a
-
\Users\Admin\AppData\Local\Temp\tmp_e473b4.exeMD5
e87553aebac0bf74d165a87321c629be
SHA1011fe975f5e1bb070856ea28525053f6e2d36897
SHA2569f3a07e6a4b0588cc4fcf4185639bde5806d212ea3b3ab8916fed2b1cc9414a7
SHA512259cc675e5e258cc1917e4a6701f4578345a78a42ab7850c17b5e943ea4f5f0bdac9e7cfd709b64684bd390e078449879b1678704b20f109e1bb08ccdbfe179a
-
\Users\Public\Ksh1.pdfMD5
706ea7f029e6bc4dbf845db3366f9a0e
SHA1942443dfb8784066523db761886115e08c99575f
SHA256fb07f875dc45e6045735513e75a83c50c78154851bd23a645d43ea853e6800ac
SHA512036d5de7e732302ef81989fba62abb1375119fc8141748d6548ed2310e95bdc07468ada5cbf06c4f721b2b95caf51e3267d4ef6db2a2031cf5c8b2abee1c15a3
-
memory/1240-2-0x0000000000000000-mapping.dmp
-
memory/1344-6-0x0000000000000000-mapping.dmp
-
memory/1680-3-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2.5MB
-
memory/2020-10-0x0000000000000000-mapping.dmp
-
memory/2020-14-0x0000000002A70000-0x0000000002A74000-memory.dmpFilesize
16KB
-
memory/2020-15-0x0000000002670000-0x0000000002674000-memory.dmpFilesize
16KB