Analysis
-
max time kernel
267s -
max time network
267s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
file.01.21.doc
Resource
win10v20201028
General
-
Target
file.01.21.doc
-
Size
92KB
-
MD5
cfbd343882b57a2d395ddb566984a0dd
-
SHA1
8baa1cb1935bafa0f89bd4fc5d5c8c47d05d1f4c
-
SHA256
dfffacd10a8887ff9e48cb452696fa8a9b6b83ea3e285b4f7d3692677c8c30fc
-
SHA512
e3606d5bc2354c7e4b3eff6aa681ee77d8f9aeaec07641a93ac02aed063b952feaa8ffebbb1fb4e68e5d131ece24264c03a6f4a5191d15e42767203bf83e1653
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hello.compid process 2208 hello.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
hello.comdescription pid process Token: SeIncreaseQuotaPrivilege 2208 hello.com Token: SeSecurityPrivilege 2208 hello.com Token: SeTakeOwnershipPrivilege 2208 hello.com Token: SeLoadDriverPrivilege 2208 hello.com Token: SeSystemProfilePrivilege 2208 hello.com Token: SeSystemtimePrivilege 2208 hello.com Token: SeProfSingleProcessPrivilege 2208 hello.com Token: SeIncBasePriorityPrivilege 2208 hello.com Token: SeCreatePagefilePrivilege 2208 hello.com Token: SeBackupPrivilege 2208 hello.com Token: SeRestorePrivilege 2208 hello.com Token: SeShutdownPrivilege 2208 hello.com Token: SeDebugPrivilege 2208 hello.com Token: SeSystemEnvironmentPrivilege 2208 hello.com Token: SeRemoteShutdownPrivilege 2208 hello.com Token: SeUndockPrivilege 2208 hello.com Token: SeManageVolumePrivilege 2208 hello.com Token: 33 2208 hello.com Token: 34 2208 hello.com Token: 35 2208 hello.com Token: 36 2208 hello.com Token: SeIncreaseQuotaPrivilege 2208 hello.com Token: SeSecurityPrivilege 2208 hello.com Token: SeTakeOwnershipPrivilege 2208 hello.com Token: SeLoadDriverPrivilege 2208 hello.com Token: SeSystemProfilePrivilege 2208 hello.com Token: SeSystemtimePrivilege 2208 hello.com Token: SeProfSingleProcessPrivilege 2208 hello.com Token: SeIncBasePriorityPrivilege 2208 hello.com Token: SeCreatePagefilePrivilege 2208 hello.com Token: SeBackupPrivilege 2208 hello.com Token: SeRestorePrivilege 2208 hello.com Token: SeShutdownPrivilege 2208 hello.com Token: SeDebugPrivilege 2208 hello.com Token: SeSystemEnvironmentPrivilege 2208 hello.com Token: SeRemoteShutdownPrivilege 2208 hello.com Token: SeUndockPrivilege 2208 hello.com Token: SeManageVolumePrivilege 2208 hello.com Token: 33 2208 hello.com Token: 34 2208 hello.com Token: 35 2208 hello.com Token: 36 2208 hello.com -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEhello.comdescription pid process target process PID 4092 wrote to memory of 2208 4092 WINWORD.EXE hello.com PID 4092 wrote to memory of 2208 4092 WINWORD.EXE hello.com PID 2208 wrote to memory of 2112 2208 hello.com regsvr32.exe PID 2208 wrote to memory of 2112 2208 hello.com regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file.01.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\hello.comc:\programdata\hello.com pagefile get /format:"c:\programdata\hello.xsL"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\41401.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\hello.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\41401.jpgMD5
486a121ad856b15492d8da27ba93b7f7
SHA174e1a88a60e820a15998db6057d9aefb69f06c9d
SHA256f1aac5eef3352554aa19449523f5d4ab0627ba70011fac75aede60e1d4284da7
SHA512c60b3ba8900090f035b150272c357b11625fb23f4301d1312680fbf463301b205b379fe557b90e0d48f298d4aa1512aacd7b9ea0e294109da59f0ac636fc3c4f
-
\??\c:\programdata\hello.xsLMD5
886f82da2d65f460b35eb737d2897940
SHA1bd75c902bb9b490cb38667e11ee5979187b82468
SHA25604d407837c3a0a82ecc6d73c8d5685ca48621ee018b698f469bc954506a14f74
SHA512fff94b2555fa49f7b4f03d2bfd1bdb14c24ed2947f0332f6e65046b98406c706224a612dac74bebad14cfe0f1cbe88e3df51b2b5b25fb2f436d53d29357d2ca8
-
memory/2112-11-0x0000000000000000-mapping.dmp
-
memory/2208-8-0x0000000000000000-mapping.dmp
-
memory/4092-6-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-14-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmpFilesize
43.1MB
-
memory/4092-2-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-5-0x0000021282650000-0x0000021282C87000-memory.dmpFilesize
6.2MB
-
memory/4092-4-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-3-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-13-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmpFilesize
43.1MB
-
memory/4092-7-0x0000021291E80000-0x0000021291E84000-memory.dmpFilesize
16KB
-
memory/4092-15-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmpFilesize
43.1MB
-
memory/4092-16-0x00007FFFCCE80000-0x00007FFFCF9A3000-memory.dmpFilesize
43.1MB
-
memory/4092-17-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-18-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-19-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-20-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB