Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 11:22
Static task
static1
Behavioral task
behavioral1
Sample
Liste397__12.01.2021_Carsamba.docx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Liste397__12.01.2021_Carsamba.docx
Resource
win10v20201028
General
-
Target
Liste397__12.01.2021_Carsamba.docx
-
Size
208KB
-
MD5
dc41aa50be50697423ef1d266b9b1050
-
SHA1
6c90e082b24ceddbc02176be64a2f914e813ab48
-
SHA256
69275397c8f8bdc2b2f24c960375d9301a472a70b5f48f3ef4d72e2958e05a87
-
SHA512
a3f22a198cbca0dfddbebeb97a5eb32a2e327ed3d072b2fcb6f37ff44c863e93e47ee1fd436ca1f48109d52495fe1864f258b0622bbac7e5dc6a59d36e5d3a99
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
javaw.exejavaw.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1168 1424 javaw.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 580 1424 javaw.exe WINWORD.EXE -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.amazonaws.com 4 checkip.amazonaws.com 6 ipinfo.io -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1424 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1424 WINWORD.EXE 1424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1424 wrote to memory of 556 1424 WINWORD.EXE splwow64.exe PID 1424 wrote to memory of 556 1424 WINWORD.EXE splwow64.exe PID 1424 wrote to memory of 556 1424 WINWORD.EXE splwow64.exe PID 1424 wrote to memory of 556 1424 WINWORD.EXE splwow64.exe PID 1424 wrote to memory of 1168 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 1168 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 1168 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 1168 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 580 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 580 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 580 1424 WINWORD.EXE javaw.exe PID 1424 wrote to memory of 580 1424 WINWORD.EXE javaw.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Liste397__12.01.2021_Carsamba.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jar"2⤵
- Process spawned unexpected child process
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jar"2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\85986877527147364497769837232458224651471542897673669983652893892488554678389226.jarMD5
dcf08a33649ed492419e3a8c04d2e2b7
SHA16139647ba17b0e21d104bfcc80c80cd7a85c6ebf
SHA256c0edc402d5487ffc46211b84863de5948e7a412f89cd923cf676e6b1bad3a868
SHA512d73ef2ce89231fd3d80b785e510ae92714a4c303e47daba85617fd7aa4062e9dcfa35b1092702a7a2ba5ab971b83554bf1b8ffd67880ec79b6b25ad338181daf
-
memory/556-2-0x0000000000000000-mapping.dmp
-
memory/580-6-0x0000000000000000-mapping.dmp
-
memory/1168-3-0x0000000000000000-mapping.dmp