Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-05-2021 10:05
Static task
static1
Behavioral task
behavioral1
Sample
ecb02fbc_by_Libranalysis.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ecb02fbc_by_Libranalysis.doc
Resource
win10v20210408
General
-
Target
ecb02fbc_by_Libranalysis.doc
-
Size
10KB
-
MD5
ecb02fbc03e5081a20ee10b35eb1efe8
-
SHA1
d41872cf3b63ef4b2292c3aed946e8515d2b9dda
-
SHA256
ff71526ee8d92ee36f36e5daa68bfc81e64a71931b2baf14b350a38d25ac5f10
-
SHA512
cc23a244487612e9c317e4b9d07b73e1315f25257aa60f6b9bb84bc9dbf3c4c16e59e561a0301c3dd4376a314abde733f212d43fde0c2c924e047a8b1ac65e2f
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MsoSync.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4068 672 MsoSync.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MsoSync.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MsoSync.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 MsoSync.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEMsoSync.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily MsoSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU MsoSync.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 672 WINWORD.EXE 672 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WINWORD.EXEMsoSync.exedescription pid process Token: SeAuditPrivilege 672 WINWORD.EXE Token: SeAuditPrivilege 4068 MsoSync.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
MsoSync.exepid process 4068 MsoSync.exe 4068 MsoSync.exe 4068 MsoSync.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
MsoSync.exepid process 4068 MsoSync.exe 4068 MsoSync.exe 4068 MsoSync.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEMsoSync.exepid process 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 4068 MsoSync.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 672 wrote to memory of 4068 672 WINWORD.EXE MsoSync.exe PID 672 wrote to memory of 4068 672 WINWORD.EXE MsoSync.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ecb02fbc_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"2⤵
- Process spawned unexpected child process
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.accdbMD5
2c32b74a6192a8f6e5357c3239164ddb
SHA152b986f7e5dba0a6d84c557ae1badb96c4900bba
SHA2568ff6ef2e6a7575e2027c8a5f6a5b8547569ff371106f092d4264b2e04a562433
SHA512b7a80490552325c4fb26a730b9f0781c8cd875e8c4bf19a7df582ae4bc21768bec1ec00a62312eae498b45cac733f94b078a0b1966f860be74da49ca5fd0c580
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5
6a4185d3246b15d5e3fa6f9f59c94ba4
SHA1b500c294fa82165c48ed63903a1572e99fc1a975
SHA256450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978
SHA512a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\OfficeFileCache\CentralTable.laccdbMD5
6a4185d3246b15d5e3fa6f9f59c94ba4
SHA1b500c294fa82165c48ed63903a1572e99fc1a975
SHA256450af3a2b2ec48227df11cf655bcf40d69ea672f1c229687eef193dcd98ae978
SHA512a4d896bc02c91fd0f4d45df010347a353dadcd8517ea516f32bc4969718ba023c285f7a2ee36f6a49754074b9278b0741790c149957d051095c451fd53ba3746
-
memory/672-117-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-119-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-118-0x00007FF8CDC40000-0x00007FF8D0763000-memory.dmpFilesize
43.1MB
-
memory/672-122-0x00007FF8C9130000-0x00007FF8CA21E000-memory.dmpFilesize
16.9MB
-
memory/672-123-0x00007FF8C6780000-0x00007FF8C8675000-memory.dmpFilesize
31.0MB
-
memory/672-114-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-116-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-115-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/4068-179-0x0000000000000000-mapping.dmp
-
memory/4068-180-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB