Analysis
-
max time kernel
136s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
EASTEND.doc
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
EASTEND.doc
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
EASTEND.doc
-
Size
299KB
-
MD5
4ba5af0ca862e168e6be9b311c19d023
-
SHA1
489c5f20f70391e817a1b2406f164b789094c376
-
SHA256
91a88238f5b4dc93a3626e9fc6cf1c5e10b5690153bac179606128380fb45142
-
SHA512
36ee5ddeadf4cb447b52810174173b8919b7ecd93659cf091ba1f5aab79618b4a416807b3feb6e42eb7a0a2e19e5d63dcbfb412cd54245e04afe535c3f4213e9
Score
5/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1056 WINWORD.EXE 1056 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE 1056 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\EASTEND.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-2-0x00007FFF08940000-0x00007FFF08950000-memory.dmpFilesize
64KB
-
memory/1056-3-0x00007FFF08940000-0x00007FFF08950000-memory.dmpFilesize
64KB
-
memory/1056-4-0x00007FFF08940000-0x00007FFF08950000-memory.dmpFilesize
64KB
-
memory/1056-5-0x00007FFF28260000-0x00007FFF28897000-memory.dmpFilesize
6.2MB
-
memory/1056-6-0x00007FFF08940000-0x00007FFF08950000-memory.dmpFilesize
64KB