Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 04:49
Static task
static1
Behavioral task
behavioral1
Sample
remote.dotm
Resource
win10v20201028
General
-
Target
remote.dotm
-
Size
22KB
-
MD5
e2b322ed2a62e9bd4c1bfcdb2b37b9b7
-
SHA1
3b55d9794ecb4d83755408124b90b03e364fea72
-
SHA256
047cbd2775987f67362ce15822b1aecb77bf9bf435118bdc9fbb11b94221e97b
-
SHA512
ed335a2676c133990e5bbd97c1d4a793e0e61c32dcb0b31d62a286cc0e20aab17ab32239823cc1d634c7ed249491f5de59ce29c258f695539c72e5040d38904a
Malware Config
Extracted
metasploit
windows/download_exec
http://resources.healthmade.org:80/thumb/preview.gif
- headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Extracted
cobaltstrike
http://resources.healthmade.org:80/__utm.gif
-
access_type
512
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
resources.healthmade.org,/__utm.gif
-
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
7680
-
maxdns
0
-
month
0
- pipe_name
-
polling_time
30000
-
port_number
80
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\WerFault.exe
-
sc_process64
%windir%\sysnative\WerFault.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
6.71092736e+08
-
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.9665394e+07
-
uri
/___utm.gif
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3732 4764 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 15 3732 rundll32.exe 16 3732 rundll32.exe 33 3732 rundll32.exe 34 3732 rundll32.exe 39 3732 rundll32.exe 40 3732 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4764 WINWORD.EXE 4764 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe PID 4764 wrote to memory of 3732 4764 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\remote.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3732-7-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/3732-9-0x0000000004780000-0x0000000004B80000-memory.dmpFilesize
4.0MB
-
memory/4764-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4764-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4764-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4764-5-0x00007FFBDF9D0000-0x00007FFBE0007000-memory.dmpFilesize
6.2MB
-
memory/4764-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB