1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29

Analysis

max time kernel
101s
max time network
133s
platform
windows10_x64
resource
win10v20210410
submitted
12-05-2021 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e6f7611_by_Libranalysis.doc
Size

46KB
MD5

5e6f7611a06e85b75cfee330aa78f24d
SHA1

a5185fda51374567ae666cea5ef582befd789572
SHA256

1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29
SHA512

fee01b8a7e674c9d1369f5803cd05985961a07277e5ada40692836ad567ce714788dca1dfca598c348c6d73688e18e488d6b5c6b4fb63cb21bd1fdcb8408f26d

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3812	1412	rundll32.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3868 WINWORD.EXE
3868 WINWORD.EXE
1412 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

3868 WINWORD.EXE
3868 WINWORD.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
1412	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE
3868	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1412 wrote to memory of 3812	1412	WINWORD.EXE	rundll32.exe
PID 1412 wrote to memory of 3812	1412	WINWORD.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e6f7611_by_Libranalysis.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\programdata\structPasteTable.jpg,PluginInit
2⤵
- Process spawned unexpected child process
PID:3812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
a0f3b3d0ffb2e8c7d6a227f209a04dd7

SHA1
1f27536c650d4cd5675a55e0503acc590879dbc4

SHA256
710e185e0af1c4e63eacd521f7a32bba91f13a031fa2d1ee4a3adf77a8300a2a

SHA512
fde0f0a08e7eeb8058c845614cd22f89ea922dc9968dd7590c4a92e27260c62e542dc7a2d8373025ff2ce9a589b2c8d287fb6f67089dd0e72aa73f759f334209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
0dfff21b75c40fe1045d487179654982

SHA1
b306607aaa29905d13275646873b386c6c4eb2e9

SHA256
78e9b1db0faa7614a37a14269c973f48d57a56255feee56bc59385efffe2787f

SHA512
280f21b2ab395e937ebceaec7e4ec5d5c5046779b75db33b178dfb8bff854ee8ebca5e178b488653e4c7b861da74ffe47643bac8f73768a67d34fe012d891b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2E34DCD8-650E-4898-B77C-B38B5BC688F2
MD5
7265ccd21fe614b9f6b5337da97fd65d

SHA1
919f8751c7a67d440a2549f990644989d73b6912

SHA256
49bd7c78bba1218384da027674b4c058628d139db4bd0c56e979be4157b8c500

SHA512
fe064a62556aa720fc11931e4faee2af374934302a7bc8c18ca2219445a4f8def1169f975a6168f98575c8523208632034cd2b0f8a2bff8e752ccbbd21870ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
346de5d3eb9f899141d80c5f54d27f63

SHA1
f1330a4537b66a13f60f8c65edc3f2e9a645470b

SHA256
07fda7de88be4dc5ae7b765cdcff9f173a8cbb450afd15e36e280d300f956fe5

SHA512
61afb0c56de831abe2ccfef4d69b94329ca6007d57379c918b8e7425c4ce4837e27aa66653348480ec283e977774602b5f35df55ec6d51fbf45abde764f3c963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
aa86c2bc38958732e1b5b58e352e74ea

SHA1
0a0831655a3c514d0957ee0421fd603e88d30a42

SHA256
f21fb1dc6e2570f883101898fa494426df16434178a37d975f227b103a44aadc

SHA512
df2d437a51b929d894d915173ab5069981b77a52de15ca518d46b1e98e587847fa841deeb720dd2a889597006e39582c0d98e68d8d92e153d6f037d44a103d65

Download Submit
\??\c:\programdata\structPasteTable.jpg
MD5
b8a509d788aeb9f0a5e876fbd4125153

SHA1
c496e11f64a3dfb6bfffac827e34fd64a2b96cf3

SHA256
7563040b38aaea45ef67ef90161f82c22c6d6281c53b6b3c085f4ebe98c4f1f3

SHA512
a47cbb0bd295c9a5a80769c1a5b7776b4d75377cf37c8b2e9b14bdde19854885253b718306aa84a2a830d2fcbefb188368c70b9699b3a7eed99b739cc0c26f21

Download Submit
memory/3812-182-0x0000000000000000-mapping.dmp

Download
memory/3868-114-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3868-179-0x000002227FE00000-0x000002227FE04000-memory.dmp

Filesize
16KB

Download
memory/3868-123-0x00007FFC09790000-0x00007FFC0B685000-memory.dmp

Filesize
31.0MB

Download
memory/3868-122-0x00007FFC0B690000-0x00007FFC0C77E000-memory.dmp

Filesize
16.9MB

Download
memory/3868-118-0x00007FFC11D50000-0x00007FFC14873000-memory.dmp

Filesize
43.1MB

Download
memory/3868-119-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3868-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3868-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download
memory/3868-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmp

Filesize
64KB

Download