Analysis
-
max time kernel
213s -
max time network
214s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 09:16
Static task
static1
Behavioral task
behavioral1
Sample
question_02.26.2021.doc
Resource
win10v20201028
Errors
General
-
Target
question_02.26.2021.doc
-
Size
91KB
-
MD5
3e78c2d7b361f51ea5cc8bb911f970da
-
SHA1
84de4d86e7886b8fe7ae6510c9f27d92c53252c1
-
SHA256
b616ef8a46ee3aa2706f1f54e133662bf18b32d258ccadb77ca35030c56a8537
-
SHA512
48436fbfaf2162f7ecfd64bb825fe7563d8ef054d4e6282141767e759ba3240ccc241711a285df25661c85b21ce225ef578d78511e7cd52c7ddcdf42c1780725
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
xml.comxml.compid process 2584 xml.com 2124 xml.com -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1276 WINWORD.EXE 1276 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xml.comxml.comdescription pid process Token: SeIncreaseQuotaPrivilege 2584 xml.com Token: SeSecurityPrivilege 2584 xml.com Token: SeTakeOwnershipPrivilege 2584 xml.com Token: SeLoadDriverPrivilege 2584 xml.com Token: SeSystemProfilePrivilege 2584 xml.com Token: SeSystemtimePrivilege 2584 xml.com Token: SeProfSingleProcessPrivilege 2584 xml.com Token: SeIncBasePriorityPrivilege 2584 xml.com Token: SeCreatePagefilePrivilege 2584 xml.com Token: SeBackupPrivilege 2584 xml.com Token: SeRestorePrivilege 2584 xml.com Token: SeShutdownPrivilege 2584 xml.com Token: SeDebugPrivilege 2584 xml.com Token: SeSystemEnvironmentPrivilege 2584 xml.com Token: SeRemoteShutdownPrivilege 2584 xml.com Token: SeUndockPrivilege 2584 xml.com Token: SeManageVolumePrivilege 2584 xml.com Token: 33 2584 xml.com Token: 34 2584 xml.com Token: 35 2584 xml.com Token: 36 2584 xml.com Token: SeIncreaseQuotaPrivilege 2584 xml.com Token: SeSecurityPrivilege 2584 xml.com Token: SeTakeOwnershipPrivilege 2584 xml.com Token: SeLoadDriverPrivilege 2584 xml.com Token: SeSystemProfilePrivilege 2584 xml.com Token: SeSystemtimePrivilege 2584 xml.com Token: SeProfSingleProcessPrivilege 2584 xml.com Token: SeIncBasePriorityPrivilege 2584 xml.com Token: SeCreatePagefilePrivilege 2584 xml.com Token: SeBackupPrivilege 2584 xml.com Token: SeRestorePrivilege 2584 xml.com Token: SeShutdownPrivilege 2584 xml.com Token: SeDebugPrivilege 2584 xml.com Token: SeSystemEnvironmentPrivilege 2584 xml.com Token: SeRemoteShutdownPrivilege 2584 xml.com Token: SeUndockPrivilege 2584 xml.com Token: SeManageVolumePrivilege 2584 xml.com Token: 33 2584 xml.com Token: 34 2584 xml.com Token: 35 2584 xml.com Token: 36 2584 xml.com Token: SeIncreaseQuotaPrivilege 2124 xml.com Token: SeSecurityPrivilege 2124 xml.com Token: SeTakeOwnershipPrivilege 2124 xml.com Token: SeLoadDriverPrivilege 2124 xml.com Token: SeSystemProfilePrivilege 2124 xml.com Token: SeSystemtimePrivilege 2124 xml.com Token: SeProfSingleProcessPrivilege 2124 xml.com Token: SeIncBasePriorityPrivilege 2124 xml.com Token: SeCreatePagefilePrivilege 2124 xml.com Token: SeBackupPrivilege 2124 xml.com Token: SeRestorePrivilege 2124 xml.com Token: SeShutdownPrivilege 2124 xml.com Token: SeDebugPrivilege 2124 xml.com Token: SeSystemEnvironmentPrivilege 2124 xml.com Token: SeRemoteShutdownPrivilege 2124 xml.com Token: SeUndockPrivilege 2124 xml.com Token: SeManageVolumePrivilege 2124 xml.com Token: 33 2124 xml.com Token: 34 2124 xml.com Token: 35 2124 xml.com Token: 36 2124 xml.com Token: SeIncreaseQuotaPrivilege 2124 xml.com -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
WINWORD.EXELogonUI.exepid process 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 1276 WINWORD.EXE 516 LogonUI.exe 516 LogonUI.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1276 wrote to memory of 2584 1276 WINWORD.EXE xml.com PID 1276 wrote to memory of 2584 1276 WINWORD.EXE xml.com PID 1276 wrote to memory of 2124 1276 WINWORD.EXE xml.com PID 1276 wrote to memory of 2124 1276 WINWORD.EXE xml.com
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question_02.26.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\i.xslMD5
38c25b5908e3f920a1516d1f238b28dd
SHA1089b3afaee7fe167fa550af5fc465d4e75934373
SHA256bd2028a5e8b75a25b9dcfd0edf682aba093883ced5d25b98371e10625a3c2c50
SHA5124a4a8a5b3ba1cc62e0e2ba8fa2e63ea29a4db95cb27da1122bd5b9bc24d24e734f06ef1c34117901c9c5565134accdf4c6ec399098382a419e99a80d75fc91e3
-
\??\c:\programdata\i.xslMD5
38c25b5908e3f920a1516d1f238b28dd
SHA1089b3afaee7fe167fa550af5fc465d4e75934373
SHA256bd2028a5e8b75a25b9dcfd0edf682aba093883ced5d25b98371e10625a3c2c50
SHA5124a4a8a5b3ba1cc62e0e2ba8fa2e63ea29a4db95cb27da1122bd5b9bc24d24e734f06ef1c34117901c9c5565134accdf4c6ec399098382a419e99a80d75fc91e3
-
memory/1276-17-0x00007FFC65120000-0x00007FFC67C43000-memory.dmpFilesize
43.1MB
-
memory/1276-3-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-21-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-6-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-5-0x0000025524280000-0x00000255248B7000-memory.dmpFilesize
6.2MB
-
memory/1276-4-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-20-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-7-0x0000025532A10000-0x0000025532A14000-memory.dmpFilesize
16KB
-
memory/1276-14-0x00007FFC65120000-0x00007FFC67C43000-memory.dmpFilesize
43.1MB
-
memory/1276-15-0x00007FFC65120000-0x00007FFC67C43000-memory.dmpFilesize
43.1MB
-
memory/1276-16-0x00007FFC65120000-0x00007FFC67C43000-memory.dmpFilesize
43.1MB
-
memory/1276-2-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-18-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/1276-19-0x00007FFC444D0000-0x00007FFC444E0000-memory.dmpFilesize
64KB
-
memory/2124-11-0x0000000000000000-mapping.dmp
-
memory/2584-8-0x0000000000000000-mapping.dmp