4d49ae7c236083099228b2bb42288560a7110face080ea63e20fe25c99840744

Analysis

max time kernel
103s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
18-06-2021 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc
Size

45KB
MD5

cf6d17f7df9d3702c297b9f54bb5c571
SHA1

d554fe56cf733ccb72cf3581b53ec2fcb60106a8
SHA256

fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c
SHA512

f7f069e30042ac9e4334d0279517bd7b24ba982d38a216405ad58762888c6bd9037eaa8ce69333b1fd7638eb77f6b66df45bcad4d407361e22001b5f64045534

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1104	3412	regsvr32.exe	WINWORD.EXE

Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

744 regsvr32.exe
744 regsvr32.exe

pid	process
744	regsvr32.exe
744	regsvr32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3968 WINWORD.EXE
3968 WINWORD.EXE
3412 WINWORD.EXE

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3412	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE
3968	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXEregsvr32.exe

description	pid	process	target process
PID 3412 wrote to memory of 1104	3412	WINWORD.EXE	regsvr32.exe
PID 3412 wrote to memory of 1104	3412	WINWORD.EXE	regsvr32.exe
PID 1104 wrote to memory of 744	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 744	1104	regsvr32.exe	regsvr32.exe
PID 1104 wrote to memory of 744	1104	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe c:\programdata\constException.jpg
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\constException.jpg
3⤵
- Loads dropped DLL
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
1df8c47949f9b5d4ab72a4e5a16040d4

SHA1
725e67a98b4014bae66504e2395b9dc02a7dff04

SHA256
8ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed

SHA512
ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
329f73b523a2329fb0487152cf2324ec

SHA1
79e1f84b2d2e4ea7d9fc466c5d52dff637fe71ed

SHA256
dffc6dcf3d44e8d88bab4dd00947784d44ae365b63ccad3e5f762a1bfd56f196

SHA512
1f8678ab118b2e748470b4c8abb1d2e31b407e708ff17ac8cce59a950dd73d3bd62bfc709e5505affe5180f2b784b8614111ef6e07a40334e4fc510ff4e06e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3FB1F025-1275-46CF-9E09-51E2880DCB05
MD5
afb147c098b5c5c1e082970d261d5a65

SHA1
cb29083e30e9dba52d6a91b4a4b02415322832df

SHA256
838cd67e6cd0aa800e09bd8de913dd9575f38fda7d4fcc350c975111e22c516d

SHA512
5dbab991a0955dd753cabe45c6703889aabff5f0267fd7d47df34754449c76e8865a8d54e9f151a3a214d28549f94c0a5cbf5e30fa57ae83027855dc20ff9571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
1182b244ae1813b876a476b453cf8358

SHA1
0135a8c356403a8c3643526640dd08fd11e6e96e

SHA256
ceccb772bb07c8d3fe38ff00686d05325778234bbd7c871aec6327a9fccb13f0

SHA512
45ca2f9639a434b04011810e99b869b3d3899c2e0e3befeff046dcd22e66d068d84c4b1c2882c70bf7a65d3acbe6cee21fc5a7735f42936e2402de5e65c2e37f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
1182b244ae1813b876a476b453cf8358

SHA1
0135a8c356403a8c3643526640dd08fd11e6e96e

SHA256
ceccb772bb07c8d3fe38ff00686d05325778234bbd7c871aec6327a9fccb13f0

SHA512
45ca2f9639a434b04011810e99b869b3d3899c2e0e3befeff046dcd22e66d068d84c4b1c2882c70bf7a65d3acbe6cee21fc5a7735f42936e2402de5e65c2e37f

Download Submit
\??\c:\programdata\constException.jpg
MD5
e5298c1b6b1895dd0854ea94a5c53179

SHA1
714d24b47b89f5e66f077078a77337468bff0a55

SHA256
6dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13

SHA512
f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a

Download Submit
\ProgramData\constException.jpg
MD5
e5298c1b6b1895dd0854ea94a5c53179

SHA1
714d24b47b89f5e66f077078a77337468bff0a55

SHA256
6dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13

SHA512
f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a

Download Submit
\ProgramData\constException.jpg
MD5
e5298c1b6b1895dd0854ea94a5c53179

SHA1
714d24b47b89f5e66f077078a77337468bff0a55

SHA256
6dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13

SHA512
f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a

Download Submit
memory/744-189-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/744-186-0x0000000000000000-mapping.dmp

Download
memory/1104-184-0x0000000000000000-mapping.dmp

Download
memory/3968-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/3968-123-0x00007FFDBC0C0000-0x00007FFDBDFB5000-memory.dmp

Filesize
31.0MB

Download
memory/3968-122-0x00007FFDBDFC0000-0x00007FFDBF0AE000-memory.dmp

Filesize
16.9MB

Download
memory/3968-118-0x00007FFDC4700000-0x00007FFDC7223000-memory.dmp

Filesize
43.1MB

Download
memory/3968-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/3968-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/3968-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download
memory/3968-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp

Filesize
64KB

Download