Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 06:50
Static task
static1
Behavioral task
behavioral1
Sample
ORDINE 2021004.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ORDINE 2021004.doc
Resource
win10v20201028
General
-
Target
ORDINE 2021004.doc
-
Size
196KB
-
MD5
797f651c45b0b81311e0e23844a448e2
-
SHA1
2bfaa69508304632718274c6a648cf28f0199bd3
-
SHA256
3fcb2dde6e1867fdbb5b6d5d9ed05a486b69855df4438dce4f4313f454effaf2
-
SHA512
61873f8c6e9fe9a67667fef1f57d60a25a5cae7f7df372a2f099849f764bc55361909c52f2cb62de9776350f7566b13f661d80cf350eb71b751bdefa4c815e68
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exeexplorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1664 4772 explorer.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4516 4772 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 14 3108 WScript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4772 WINWORD.EXE 4772 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE 4772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 4772 wrote to memory of 1664 4772 WINWORD.EXE explorer.exe PID 4772 wrote to memory of 1664 4772 WINWORD.EXE explorer.exe PID 4084 wrote to memory of 3108 4084 explorer.exe WScript.exe PID 4084 wrote to memory of 3108 4084 explorer.exe WScript.exe PID 4772 wrote to memory of 4516 4772 WINWORD.EXE explorer.exe PID 4772 wrote to memory of 4516 4772 WINWORD.EXE explorer.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDINE 2021004.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\restnatural.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\attacksix.exe2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\restnatural.vbs"2⤵
- Blocklisted process makes network request
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\attacksix.exeMD5
62962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
C:\Users\Admin\AppData\Local\Temp\restnatural.vbsMD5
d4926c9d3b391f4dddb6afbda8e36c0c
SHA1028b9ff60116aff36689ecc486b3748a19cb57fe
SHA256f2a1ece0b0e07f25d1800b0d02ebc8d642cd81c890f682e7ea6babff29004224
SHA5125daf4184ebf19cc844602ddbce92e638fb2b66b192e08abcc30e0572fb3c51be411dea5e21b115678d978294be0710f50ee5b56c63b7b96ce4cc30a8a53aa6bb
-
memory/1664-7-0x0000000000000000-mapping.dmp
-
memory/3108-9-0x0000000000000000-mapping.dmp
-
memory/4516-10-0x0000000000000000-mapping.dmp
-
memory/4772-2-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-3-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-4-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-6-0x00007FFBC05B0000-0x00007FFBC05C0000-memory.dmpFilesize
64KB
-
memory/4772-5-0x0000017320A20000-0x0000017321057000-memory.dmpFilesize
6.2MB