Analysis
-
max time kernel
94s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 17:44
Static task
static1
Behavioral task
behavioral1
Sample
commerce _03.09.2021.doc
Resource
win10v20201028
General
-
Target
commerce _03.09.2021.doc
-
Size
91KB
-
MD5
0aa86c039d3fbad067749edf8a4ce659
-
SHA1
15c9d4ba5557b47dbdde61831296c2d67ede7357
-
SHA256
0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707
-
SHA512
bb41673650c28b4ebfd884f539f1be549124d70912278302dbe8781cf7e051a693b20c9a1d399a4789f0420841c26960cb1e381dede9cd107d433c352d56b9d1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xml.compid process 2012 xml.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1192 WINWORD.EXE 1192 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
xml.comdescription pid process Token: SeIncreaseQuotaPrivilege 2012 xml.com Token: SeSecurityPrivilege 2012 xml.com Token: SeTakeOwnershipPrivilege 2012 xml.com Token: SeLoadDriverPrivilege 2012 xml.com Token: SeSystemProfilePrivilege 2012 xml.com Token: SeSystemtimePrivilege 2012 xml.com Token: SeProfSingleProcessPrivilege 2012 xml.com Token: SeIncBasePriorityPrivilege 2012 xml.com Token: SeCreatePagefilePrivilege 2012 xml.com Token: SeBackupPrivilege 2012 xml.com Token: SeRestorePrivilege 2012 xml.com Token: SeShutdownPrivilege 2012 xml.com Token: SeDebugPrivilege 2012 xml.com Token: SeSystemEnvironmentPrivilege 2012 xml.com Token: SeRemoteShutdownPrivilege 2012 xml.com Token: SeUndockPrivilege 2012 xml.com Token: SeManageVolumePrivilege 2012 xml.com Token: 33 2012 xml.com Token: 34 2012 xml.com Token: 35 2012 xml.com Token: 36 2012 xml.com Token: SeIncreaseQuotaPrivilege 2012 xml.com Token: SeSecurityPrivilege 2012 xml.com Token: SeTakeOwnershipPrivilege 2012 xml.com Token: SeLoadDriverPrivilege 2012 xml.com Token: SeSystemProfilePrivilege 2012 xml.com Token: SeSystemtimePrivilege 2012 xml.com Token: SeProfSingleProcessPrivilege 2012 xml.com Token: SeIncBasePriorityPrivilege 2012 xml.com Token: SeCreatePagefilePrivilege 2012 xml.com Token: SeBackupPrivilege 2012 xml.com Token: SeRestorePrivilege 2012 xml.com Token: SeShutdownPrivilege 2012 xml.com Token: SeDebugPrivilege 2012 xml.com Token: SeSystemEnvironmentPrivilege 2012 xml.com Token: SeRemoteShutdownPrivilege 2012 xml.com Token: SeUndockPrivilege 2012 xml.com Token: SeManageVolumePrivilege 2012 xml.com Token: 33 2012 xml.com Token: 34 2012 xml.com Token: 35 2012 xml.com Token: 36 2012 xml.com -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE 1192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXExml.comdescription pid process target process PID 1192 wrote to memory of 2012 1192 WINWORD.EXE xml.com PID 1192 wrote to memory of 2012 1192 WINWORD.EXE xml.com PID 2012 wrote to memory of 3416 2012 xml.com regsvr32.exe PID 2012 wrote to memory of 3416 2012 xml.com regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce _03.09.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\58886.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\58886.jpgMD5
4dcb2e40b2730cd9d3a99276fc75c3f5
SHA1202170a629dc8d6ca13bb8fce5effeabadfc84a0
SHA2567764e8098c2b208213316207109cec34b604fb9b92569ae202c1a2c194936abe
SHA5128aed4236deaba89feab1f5f596fe2460f8d0e0325e1714f7c87266076b9c947a04863157c79c3e723fea672ea5430dd8d592f781b398cf1a9de110113696429a
-
\??\c:\programdata\i.xslMD5
019bf95cfa8bd8cef5ccbe11a17d5b4a
SHA19617ac6e29d86217d54609d37d79bf7dcef986ae
SHA2562b9c7426ad5db95c7924ea37084742b3af34cdcafad397584b28cf8ea343e774
SHA5124a267d89006648a046f18565abeb9fe29b9a4cade415f4dfffb167e400e02eebeaca9c9a49dc73bec614f8faafeb5db772978a40cd17b9f74b14df4a11e07f6b
-
memory/1192-10-0x000001E95DB80000-0x000001E95DB84000-memory.dmpFilesize
16KB
-
memory/1192-3-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-20-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-5-0x000001E94E780000-0x000001E94EDB7000-memory.dmpFilesize
6.2MB
-
memory/1192-4-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-2-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-19-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-6-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-13-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmpFilesize
43.1MB
-
memory/1192-14-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmpFilesize
43.1MB
-
memory/1192-15-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmpFilesize
43.1MB
-
memory/1192-16-0x00007FFE1EBF0000-0x00007FFE21713000-memory.dmpFilesize
43.1MB
-
memory/1192-17-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/1192-18-0x00007FFDFD230000-0x00007FFDFD240000-memory.dmpFilesize
64KB
-
memory/2012-7-0x0000000000000000-mapping.dmp
-
memory/3416-11-0x0000000000000000-mapping.dmp