Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 09:30
Static task
static1
Behavioral task
behavioral1
Sample
INV-1581.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INV-1581.doc
Resource
win10v20201028
General
-
Target
INV-1581.doc
-
Size
149KB
-
MD5
470b5f77bd00e2002939833ab72ad47a
-
SHA1
540fb80aae64faccbb47ced4d4ec57448ca4297e
-
SHA256
7df11aa42a30d550a3fba77ed9fc353108f4cac53a2dac6f29a6534dd0ecbd06
-
SHA512
69a569c079bf78693d751d3834f94888de5f3276b69d9eb63c09bec678335dbb0740337d87646ea26325851d2e4754c881d7c7512520d5831468bc07a84f6b55
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exeexplorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2916 1212 explorer.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1224 1212 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 12 2832 WScript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1212 WINWORD.EXE 1212 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1212 WINWORD.EXE 1212 WINWORD.EXE 1212 WINWORD.EXE 1212 WINWORD.EXE 1212 WINWORD.EXE 1212 WINWORD.EXE 1212 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 1212 wrote to memory of 2916 1212 WINWORD.EXE explorer.exe PID 1212 wrote to memory of 2916 1212 WINWORD.EXE explorer.exe PID 644 wrote to memory of 2832 644 explorer.exe WScript.exe PID 644 wrote to memory of 2832 644 explorer.exe WScript.exe PID 1212 wrote to memory of 1224 1212 WINWORD.EXE explorer.exe PID 1212 wrote to memory of 1224 1212 WINWORD.EXE explorer.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INV-1581.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\healthother.vbs2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\agoright.exe2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\healthother.vbs"2⤵
- Blocklisted process makes network request
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\agoright.exeMD5
62962daa1b19bbcc2db10b7bfd531ea6
SHA1d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA25680c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA5129002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7
-
C:\Users\Admin\AppData\Local\Temp\healthother.vbsMD5
552f3e780bb97a3f81a732d5e26e2474
SHA1bfddf68ec2daf167f212a0157b258ead3827ca47
SHA256c711528dad5f1237a870ac01a6657579ac276dd30b0904aa0d4bcb795678d2ab
SHA5121fe1db760854d0182c20d80ae98a19679aee1760a508ddbc31eb3b9081f4d105259028dfcd14d08d7d3bfba2670685d896aa642cd630947fd58dd66b417da2a0
-
memory/1212-2-0x00007FFC22770000-0x00007FFC22780000-memory.dmpFilesize
64KB
-
memory/1212-3-0x00007FFC22770000-0x00007FFC22780000-memory.dmpFilesize
64KB
-
memory/1212-4-0x00007FFC22770000-0x00007FFC22780000-memory.dmpFilesize
64KB
-
memory/1212-5-0x00007FFC419B0000-0x00007FFC41FE7000-memory.dmpFilesize
6.2MB
-
memory/1212-6-0x00007FFC22770000-0x00007FFC22780000-memory.dmpFilesize
64KB
-
memory/1224-10-0x0000000000000000-mapping.dmp
-
memory/2832-9-0x0000000000000000-mapping.dmp
-
memory/2916-7-0x0000000000000000-mapping.dmp