Analysis
-
max time kernel
139s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-03-2021 18:02
Static task
static1
Behavioral task
behavioral1
Sample
commerce _03.09.2021.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
commerce _03.09.2021.doc
Resource
win10v20201028
General
-
Target
commerce _03.09.2021.doc
-
Size
91KB
-
MD5
0aa86c039d3fbad067749edf8a4ce659
-
SHA1
15c9d4ba5557b47dbdde61831296c2d67ede7357
-
SHA256
0c8704fd49a85bec94233219640e3bae68aa4030b3ae6e582d502dbef38b6707
-
SHA512
bb41673650c28b4ebfd884f539f1be549124d70912278302dbe8781cf7e051a693b20c9a1d399a4789f0420841c26960cb1e381dede9cd107d433c352d56b9d1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xml.compid process 3564 xml.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
xml.comdescription pid process Token: SeIncreaseQuotaPrivilege 3564 xml.com Token: SeSecurityPrivilege 3564 xml.com Token: SeTakeOwnershipPrivilege 3564 xml.com Token: SeLoadDriverPrivilege 3564 xml.com Token: SeSystemProfilePrivilege 3564 xml.com Token: SeSystemtimePrivilege 3564 xml.com Token: SeProfSingleProcessPrivilege 3564 xml.com Token: SeIncBasePriorityPrivilege 3564 xml.com Token: SeCreatePagefilePrivilege 3564 xml.com Token: SeBackupPrivilege 3564 xml.com Token: SeRestorePrivilege 3564 xml.com Token: SeShutdownPrivilege 3564 xml.com Token: SeDebugPrivilege 3564 xml.com Token: SeSystemEnvironmentPrivilege 3564 xml.com Token: SeRemoteShutdownPrivilege 3564 xml.com Token: SeUndockPrivilege 3564 xml.com Token: SeManageVolumePrivilege 3564 xml.com Token: 33 3564 xml.com Token: 34 3564 xml.com Token: 35 3564 xml.com Token: 36 3564 xml.com Token: SeIncreaseQuotaPrivilege 3564 xml.com Token: SeSecurityPrivilege 3564 xml.com Token: SeTakeOwnershipPrivilege 3564 xml.com Token: SeLoadDriverPrivilege 3564 xml.com Token: SeSystemProfilePrivilege 3564 xml.com Token: SeSystemtimePrivilege 3564 xml.com Token: SeProfSingleProcessPrivilege 3564 xml.com Token: SeIncBasePriorityPrivilege 3564 xml.com Token: SeCreatePagefilePrivilege 3564 xml.com Token: SeBackupPrivilege 3564 xml.com Token: SeRestorePrivilege 3564 xml.com Token: SeShutdownPrivilege 3564 xml.com Token: SeDebugPrivilege 3564 xml.com Token: SeSystemEnvironmentPrivilege 3564 xml.com Token: SeRemoteShutdownPrivilege 3564 xml.com Token: SeUndockPrivilege 3564 xml.com Token: SeManageVolumePrivilege 3564 xml.com Token: 33 3564 xml.com Token: 34 3564 xml.com Token: 35 3564 xml.com Token: 36 3564 xml.com -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXExml.comdescription pid process target process PID 880 wrote to memory of 3564 880 WINWORD.EXE xml.com PID 880 wrote to memory of 3564 880 WINWORD.EXE xml.com PID 3564 wrote to memory of 3968 3564 xml.com regsvr32.exe PID 3564 wrote to memory of 3968 3564 xml.com regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce _03.09.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\58886.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\58886.jpgMD5
cc27f97020f8e62bdd670ff1dc5d6c0f
SHA150a767c62c3b69ea2c81c5218b4303c10a218943
SHA256ef17720640796bbdbd60fe6f961a6319eb392963e3348f84d5a533961734f486
SHA512b6914b2e3b7e91fcdf70fa7227fdf50debbcd8ebe70a6b978e9775f4380c16e50cf17bd4fd2fe780caabea1fcc2eefa1b3ac0271cdc25c115a9ca83cb2cd0473
-
\??\c:\programdata\i.xslMD5
019bf95cfa8bd8cef5ccbe11a17d5b4a
SHA19617ac6e29d86217d54609d37d79bf7dcef986ae
SHA2562b9c7426ad5db95c7924ea37084742b3af34cdcafad397584b28cf8ea343e774
SHA5124a267d89006648a046f18565abeb9fe29b9a4cade415f4dfffb167e400e02eebeaca9c9a49dc73bec614f8faafeb5db772978a40cd17b9f74b14df4a11e07f6b
-
memory/880-2-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-3-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-4-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-5-0x00007FF920240000-0x00007FF920250000-memory.dmpFilesize
64KB
-
memory/880-6-0x000002173BFA0000-0x000002173C5D7000-memory.dmpFilesize
6.2MB
-
memory/880-7-0x000002174A8A0000-0x000002174A8A4000-memory.dmpFilesize
16KB
-
memory/3564-8-0x0000000000000000-mapping.dmp
-
memory/3968-11-0x0000000000000000-mapping.dmp