Analysis
-
max time kernel
103s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc
Resource
win10v20210410
General
-
Target
fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc
-
Size
45KB
-
MD5
cf6d17f7df9d3702c297b9f54bb5c571
-
SHA1
d554fe56cf733ccb72cf3581b53ec2fcb60106a8
-
SHA256
fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c
-
SHA512
f7f069e30042ac9e4334d0279517bd7b24ba982d38a216405ad58762888c6bd9037eaa8ce69333b1fd7638eb77f6b66df45bcad4d407361e22001b5f64045534
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1104 3412 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exepid process 744 regsvr32.exe 744 regsvr32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE 3412 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3412 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE 3968 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 3412 wrote to memory of 1104 3412 WINWORD.EXE regsvr32.exe PID 3412 wrote to memory of 1104 3412 WINWORD.EXE regsvr32.exe PID 1104 wrote to memory of 744 1104 regsvr32.exe regsvr32.exe PID 1104 wrote to memory of 744 1104 regsvr32.exe regsvr32.exe PID 1104 wrote to memory of 744 1104 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fd18a646bd32938babf115e7b5eacb30e39630779520f6df26924b7c6513995c.bin.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe c:\programdata\constException.jpg2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\programdata\constException.jpg3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
1df8c47949f9b5d4ab72a4e5a16040d4
SHA1725e67a98b4014bae66504e2395b9dc02a7dff04
SHA2568ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed
SHA512ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
329f73b523a2329fb0487152cf2324ec
SHA179e1f84b2d2e4ea7d9fc466c5d52dff637fe71ed
SHA256dffc6dcf3d44e8d88bab4dd00947784d44ae365b63ccad3e5f762a1bfd56f196
SHA5121f8678ab118b2e748470b4c8abb1d2e31b407e708ff17ac8cce59a950dd73d3bd62bfc709e5505affe5180f2b784b8614111ef6e07a40334e4fc510ff4e06e37
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3FB1F025-1275-46CF-9E09-51E2880DCB05MD5
afb147c098b5c5c1e082970d261d5a65
SHA1cb29083e30e9dba52d6a91b4a4b02415322832df
SHA256838cd67e6cd0aa800e09bd8de913dd9575f38fda7d4fcc350c975111e22c516d
SHA5125dbab991a0955dd753cabe45c6703889aabff5f0267fd7d47df34754449c76e8865a8d54e9f151a3a214d28549f94c0a5cbf5e30fa57ae83027855dc20ff9571
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
1182b244ae1813b876a476b453cf8358
SHA10135a8c356403a8c3643526640dd08fd11e6e96e
SHA256ceccb772bb07c8d3fe38ff00686d05325778234bbd7c871aec6327a9fccb13f0
SHA51245ca2f9639a434b04011810e99b869b3d3899c2e0e3befeff046dcd22e66d068d84c4b1c2882c70bf7a65d3acbe6cee21fc5a7735f42936e2402de5e65c2e37f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
1182b244ae1813b876a476b453cf8358
SHA10135a8c356403a8c3643526640dd08fd11e6e96e
SHA256ceccb772bb07c8d3fe38ff00686d05325778234bbd7c871aec6327a9fccb13f0
SHA51245ca2f9639a434b04011810e99b869b3d3899c2e0e3befeff046dcd22e66d068d84c4b1c2882c70bf7a65d3acbe6cee21fc5a7735f42936e2402de5e65c2e37f
-
\??\c:\programdata\constException.jpgMD5
e5298c1b6b1895dd0854ea94a5c53179
SHA1714d24b47b89f5e66f077078a77337468bff0a55
SHA2566dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13
SHA512f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a
-
\ProgramData\constException.jpgMD5
e5298c1b6b1895dd0854ea94a5c53179
SHA1714d24b47b89f5e66f077078a77337468bff0a55
SHA2566dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13
SHA512f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a
-
\ProgramData\constException.jpgMD5
e5298c1b6b1895dd0854ea94a5c53179
SHA1714d24b47b89f5e66f077078a77337468bff0a55
SHA2566dfb5864e069974b512e70f844fb51f21aaf3b69a3a1d686365dc46d00056e13
SHA512f41c76273ff764ed14a7635682e98995caf6b7da0fb61868e45462ffeeae665012fbed9f77483ceef82a58d812d1482a837f4c36d1bbc3d985322e57b28f847a
-
memory/744-189-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/744-186-0x0000000000000000-mapping.dmp
-
memory/1104-184-0x0000000000000000-mapping.dmp
-
memory/3968-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-123-0x00007FFDBC0C0000-0x00007FFDBDFB5000-memory.dmpFilesize
31.0MB
-
memory/3968-122-0x00007FFDBDFC0000-0x00007FFDBF0AE000-memory.dmpFilesize
16.9MB
-
memory/3968-118-0x00007FFDC4700000-0x00007FFDC7223000-memory.dmpFilesize
43.1MB
-
memory/3968-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB
-
memory/3968-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmpFilesize
64KB