Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 10:14
Static task
static1
Behavioral task
behavioral1
Sample
info (2).doc
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
info (2).doc
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
info (2).doc
-
Size
36KB
-
MD5
fed40d2c7fd54c4bb79af4d7aeed141e
-
SHA1
ffa20af1ec10ac49e54526205e1b168508b72f77
-
SHA256
8014c0158f80dd74af4b84df47bd058a8b14ec874b74cdfa765ce592f3db4e85
-
SHA512
6a8a75818b7dc06d2696819b350f1af0521d5e070d7cc3f3560dbd1f9c68e3dfbb5ca4e9c6cf48959418468d8377fc6d78585a9e152f704fcce09ba0158f54e0
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3942946766" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705574eed514d701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408682eed514d701 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3942946766" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30872789" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30872789" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150af8abdb68ef4baed50f904913d89f0000000002000000000010660000000100002000000039c4cd7970443a26933b7d8bf3da82095cd5f68c96bb5d196330eccb0f9c3aeb000000000e800000000200002000000002f8ee5c9f545d351644fde215f709839e5286913d10250b7bdb32ce7e5af7e420000000a2859333b4ad266ae4ca6ec16fc819bbc32c775f96f52da7b23559217211fc7340000000c1496c746174216b0129ecf2ac23aa7d6e795be8d80203758af3256dc8d4721973af60b3140e5b54933810db9a6484233064e85ced1ebf1ee63d59a43ac20076 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000150af8abdb68ef4baed50f904913d89f00000000020000000000106600000001000020000000224630058e1754e4082ed49b5d607d46ca8e1168cec44c0a727d17fbcb40d3c1000000000e8000000002000020000000ef68eec72d4f6cd6b0bb1a2e7dc96df21c0b150f2dfa8a0306a060737402981320000000ba1091ca5a7d70d1527f449abcbbd4dca169892e85143c5c3a2e8108a145002740000000b99a4f469041c656a303ebdedee0a330b554df9d60f54e7f8f10005dbe4457b42dfe44d59e41383785f22ef9059ec0b2b0c2123dec5cc8d02e502dbac6b99b32 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16584E50-80C9-11EB-B59A-F6A5F321BADB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3084 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEpid process 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 3084 iexplore.exe 3084 iexplore.exe 3636 IEXPLORE.EXE 3636 IEXPLORE.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 3084 wrote to memory of 3636 3084 iexplore.exe IEXPLORE.EXE PID 3084 wrote to memory of 3636 3084 iexplore.exe IEXPLORE.EXE PID 3084 wrote to memory of 3636 3084 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\info (2).doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3084 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/496-2-0x00007FF983B50000-0x00007FF983B60000-memory.dmpFilesize
64KB
-
memory/496-3-0x00007FF983B50000-0x00007FF983B60000-memory.dmpFilesize
64KB
-
memory/496-4-0x00007FF983B50000-0x00007FF983B60000-memory.dmpFilesize
64KB
-
memory/496-5-0x000001F352990000-0x000001F352FC7000-memory.dmpFilesize
6.2MB
-
memory/496-6-0x00007FF983B50000-0x00007FF983B60000-memory.dmpFilesize
64KB
-
memory/3636-7-0x0000000000000000-mapping.dmp