Analysis
-
max time kernel
101s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
5e6f7611_by_Libranalysis.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5e6f7611_by_Libranalysis.doc
Resource
win10v20210410
General
-
Target
5e6f7611_by_Libranalysis.doc
-
Size
46KB
-
MD5
5e6f7611a06e85b75cfee330aa78f24d
-
SHA1
a5185fda51374567ae666cea5ef582befd789572
-
SHA256
1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29
-
SHA512
fee01b8a7e674c9d1369f5803cd05985961a07277e5ada40692836ad567ce714788dca1dfca598c348c6d73688e18e488d6b5c6b4fb63cb21bd1fdcb8408f26d
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3812 1412 rundll32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3868 WINWORD.EXE 3868 WINWORD.EXE 1412 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3868 WINWORD.EXE 3868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 1412 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1412 wrote to memory of 3812 1412 WINWORD.EXE rundll32.exe PID 1412 wrote to memory of 3812 1412 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5e6f7611_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3868
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\structPasteTable.jpg,PluginInit2⤵
- Process spawned unexpected child process
PID:3812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
a0f3b3d0ffb2e8c7d6a227f209a04dd7
SHA11f27536c650d4cd5675a55e0503acc590879dbc4
SHA256710e185e0af1c4e63eacd521f7a32bba91f13a031fa2d1ee4a3adf77a8300a2a
SHA512fde0f0a08e7eeb8058c845614cd22f89ea922dc9968dd7590c4a92e27260c62e542dc7a2d8373025ff2ce9a589b2c8d287fb6f67089dd0e72aa73f759f334209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
0dfff21b75c40fe1045d487179654982
SHA1b306607aaa29905d13275646873b386c6c4eb2e9
SHA25678e9b1db0faa7614a37a14269c973f48d57a56255feee56bc59385efffe2787f
SHA512280f21b2ab395e937ebceaec7e4ec5d5c5046779b75db33b178dfb8bff854ee8ebca5e178b488653e4c7b861da74ffe47643bac8f73768a67d34fe012d891b84
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2E34DCD8-650E-4898-B77C-B38B5BC688F2MD5
7265ccd21fe614b9f6b5337da97fd65d
SHA1919f8751c7a67d440a2549f990644989d73b6912
SHA25649bd7c78bba1218384da027674b4c058628d139db4bd0c56e979be4157b8c500
SHA512fe064a62556aa720fc11931e4faee2af374934302a7bc8c18ca2219445a4f8def1169f975a6168f98575c8523208632034cd2b0f8a2bff8e752ccbbd21870ea7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
346de5d3eb9f899141d80c5f54d27f63
SHA1f1330a4537b66a13f60f8c65edc3f2e9a645470b
SHA25607fda7de88be4dc5ae7b765cdcff9f173a8cbb450afd15e36e280d300f956fe5
SHA51261afb0c56de831abe2ccfef4d69b94329ca6007d57379c918b8e7425c4ce4837e27aa66653348480ec283e977774602b5f35df55ec6d51fbf45abde764f3c963
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
aa86c2bc38958732e1b5b58e352e74ea
SHA10a0831655a3c514d0957ee0421fd603e88d30a42
SHA256f21fb1dc6e2570f883101898fa494426df16434178a37d975f227b103a44aadc
SHA512df2d437a51b929d894d915173ab5069981b77a52de15ca518d46b1e98e587847fa841deeb720dd2a889597006e39582c0d98e68d8d92e153d6f037d44a103d65
-
\??\c:\programdata\structPasteTable.jpgMD5
b8a509d788aeb9f0a5e876fbd4125153
SHA1c496e11f64a3dfb6bfffac827e34fd64a2b96cf3
SHA2567563040b38aaea45ef67ef90161f82c22c6d6281c53b6b3c085f4ebe98c4f1f3
SHA512a47cbb0bd295c9a5a80769c1a5b7776b4d75377cf37c8b2e9b14bdde19854885253b718306aa84a2a830d2fcbefb188368c70b9699b3a7eed99b739cc0c26f21
-
memory/3812-182-0x0000000000000000-mapping.dmp
-
memory/3868-114-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3868-179-0x000002227FE00000-0x000002227FE04000-memory.dmpFilesize
16KB
-
memory/3868-123-0x00007FFC09790000-0x00007FFC0B685000-memory.dmpFilesize
31.0MB
-
memory/3868-122-0x00007FFC0B690000-0x00007FFC0C77E000-memory.dmpFilesize
16.9MB
-
memory/3868-118-0x00007FFC11D50000-0x00007FFC14873000-memory.dmpFilesize
43.1MB
-
memory/3868-119-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3868-117-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3868-116-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB
-
memory/3868-115-0x00007FFBF09B0000-0x00007FFBF09C0000-memory.dmpFilesize
64KB