Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 12:49
Static task
static1
Behavioral task
behavioral1
Sample
files_05.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
files_05.21.doc
Resource
win10v20210410
General
-
Target
files_05.21.doc
-
Size
75KB
-
MD5
f143869b5567d92152addee5f40b2544
-
SHA1
641ba7fc05997aca01b83dfbaa078c86d4b6b7df
-
SHA256
9e7906cf5f653a70e1a30828d805dcf165b50a7e664cb94de562771203219e21
-
SHA512
655f4d350a12b39aadbdf7eae54c2e7f39bdd751bede45c28c044f207aef5e4e80abe3031b069331e76a28b2ae1e29438b4fe13815832bd9e25f6484bb1a62fd
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 748 3776 rundll32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE 3776 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3776 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE 3680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3776 wrote to memory of 748 3776 WINWORD.EXE rundll32.exe PID 3776 wrote to memory of 748 3776 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files_05.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3680
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\storageArgument.jpg,PluginInit2⤵
- Process spawned unexpected child process
PID:748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
c818d1a2303069fccb29a84353a0e4b9
SHA129cf56b6ca40bc9333728ea3c92b4e2dd8f63087
SHA256ba8bddb399ff54df8d1f560fe3e695d0b0ed072617cb5b485647730e2285e084
SHA512162d75f4a6f07cacfbd457a7b2e01c24d9fe91bf7a77c11f9ec9326a62d6ddcb4c22e848d863311456d065898a7e007f8ed22f4c98f26255c77ee854a84f3252
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
c23e39ffa272b9f1663b6a43e7684594
SHA1b955fc2884bd64fc5bd48e440ca4272048177ee7
SHA2568caefa99d3f701c57008cde8a5f5faa90a14018a8b7867242a4b90f7a2719a7c
SHA512ffb849952e020051ab0769ba0f8ade10a4698be1896f36ddbc3fdda573b5e0284c643b362d86f8133a93526786822fe155de07406b98a4b2197e138ada5330d1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0E41A45B-0BB3-4AD5-A08B-1ECD5C3DB71DMD5
1ff1ad734f61c2b95c4f106f3f4158f4
SHA1624767fe3a4dd799f4864efa574bd03068f10b55
SHA256470dcee0cf34adec248d1d1042270731022c25f2b49876688a11726e7468e1f7
SHA512b16a6c0513ee42a9ebf7246954043da835cb9d0d7323e3593652769cc1ed8df9ef9de8ab39244f7cd79d2feed8a014f272759d37ee123bd59502f8d34351a632
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
b33b89b3e88213f5aa19fe207a0cb5f6
SHA125b43ad294dc7e51ef28191ba15e431efff53efa
SHA2560fb8aeb2d4b45952649d794c3ca885cfa30a69ac95d6a475a7f6ec334705bcfe
SHA512af66aa0b2e79542ee0ce066bd927fa00fe03a5305ada4f30cba0e408a3f734b539f8679c0f96ff258ab975c1c9cfec9d7dcf504f87bc21849b2a0b00e4d3a9da
-
\??\c:\programdata\storageArgument.jpgMD5
d9fea499cf43ca9d1b3c30aa11c36b32
SHA12029ac0cf93300b10cee62f02c2f0efa41a6d451
SHA25677c624edd299f5d5c87c5d88f4c7c954edc4bed3ab5d1a2d315b318ba9eab8a6
SHA5122d9b2676582bf5ab24620fe71320a659e574ac9add3dc2b00cfad856dd425b669cc457908fa35bb8d2d3031e459b7ff4965083cb29e2a2325f381422b1fd8ca9
-
memory/748-182-0x0000000000000000-mapping.dmp
-
memory/3680-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-123-0x00007FF8736A0000-0x00007FF875595000-memory.dmpFilesize
31.0MB
-
memory/3680-179-0x000002EB6AB30000-0x000002EB6AB34000-memory.dmpFilesize
16KB
-
memory/3680-122-0x00007FF876250000-0x00007FF87733E000-memory.dmpFilesize
16.9MB
-
memory/3680-118-0x00007FF87BE00000-0x00007FF87E923000-memory.dmpFilesize
43.1MB
-
memory/3680-119-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-114-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/3680-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB