Analysis
-
max time kernel
101s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 14:37
Static task
static1
Behavioral task
behavioral1
Sample
legal paper-06.18.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
legal paper-06.18.2021.doc
Resource
win10v20210410
General
-
Target
legal paper-06.18.2021.doc
-
Size
45KB
-
MD5
431c63dfcdbee4be13b948b6340382ce
-
SHA1
f60de0bd4c89c99fc385f72636f50135387a3121
-
SHA256
9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c
-
SHA512
f6471d7b7393dd2b5febbdde0b0ae4bf86fa3418afcb7443e906e0ca717d8700cbb86fcc0995cdd8667a87f349706f02956f1906033a3fe68644eced092f5b41
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1548 4276 regsvr32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE 4276 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4276 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4276 wrote to memory of 1548 4276 WINWORD.EXE regsvr32.exe PID 4276 wrote to memory of 1548 4276 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper-06.18.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe c:\programdata\pasteTmpRequest.jpg2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
1df8c47949f9b5d4ab72a4e5a16040d4
SHA1725e67a98b4014bae66504e2395b9dc02a7dff04
SHA2568ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed
SHA512ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
3f886044a19982b09721a4a63cbf8f9f
SHA1f79a5c9e80b52866db6cc3ac944c00cfed419756
SHA2564c603c0b1ef11be8d6559869a26dd6c02b7f49e86a2597c7cf2e29e1a383a30b
SHA51231ad04193dc89bbd599916aba39e79dca0d526e2eaf0e0852885a951a6935a403e2ecab6558e573e06ca2a6f6c92752af24d675826fcc782cc5d45779b5a8b33
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A3EE8126-A558-4E77-B9B7-32DA02DAFC95MD5
b443367fdc2ade2f6cf404c18c46fd7e
SHA13798f6527910cbfa111ea4305ce8ea09fa2908dc
SHA25618e2a411a9843bcd5fa87ba8bdfa093e8630d654bb8ecf8dd4373567db0db22a
SHA5126f385d50072072e2176334625bedcf5140077a8ff84fa8c17bbced1d21dde315a95730d9807c8b48091c36b76c20a8ec2784028f6850045906c6a023dbdfbd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
4ace3566654ea7d2005eed3c9498a32b
SHA1ff9adfbb3b8b4f2d4f7eee078ce39aacc867b8cb
SHA256a4c60865114c522bcc4d2763c4b4a8815ceb7340c796e7f2db2d1dea9cb03235
SHA5121e5fe5a635a19f4046a587011994b9de7206d6913c62dba702e4e17d3c33622ad33e062acbfa71040bf200fcff8b51c033f6073bf771fb8ca33222735ba9b3e0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
4ace3566654ea7d2005eed3c9498a32b
SHA1ff9adfbb3b8b4f2d4f7eee078ce39aacc867b8cb
SHA256a4c60865114c522bcc4d2763c4b4a8815ceb7340c796e7f2db2d1dea9cb03235
SHA5121e5fe5a635a19f4046a587011994b9de7206d6913c62dba702e4e17d3c33622ad33e062acbfa71040bf200fcff8b51c033f6073bf771fb8ca33222735ba9b3e0
-
\??\c:\programdata\pasteTmpRequest.jpgMD5
95af0fb82b086b3cef9afb2041ad75a9
SHA12cffd9e7fd781db32dc21bf1a9a6e0aa3ec035c8
SHA256849f1a525e10f73dc7b0d0f9b8b71d9b8578b9f73506f78056fdd52e10966ca6
SHA512de528ca04d5aec116ee375f6de93a2214aee33c413d87ec286211e90b16a4265b2e4854a346b412fb8563c45a1de95f6830650d26204cd77c9c72dd4bd7b2012
-
memory/1548-181-0x0000000000000000-mapping.dmp
-
memory/4440-114-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4440-123-0x00007FF9CD2D0000-0x00007FF9CF1C5000-memory.dmpFilesize
31.0MB
-
memory/4440-122-0x00007FF9D0590000-0x00007FF9D167E000-memory.dmpFilesize
16.9MB
-
memory/4440-118-0x00007FF9D5390000-0x00007FF9D7EB3000-memory.dmpFilesize
43.1MB
-
memory/4440-119-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4440-117-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4440-116-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB
-
memory/4440-115-0x00007FF9B3A10000-0x00007FF9B3A20000-memory.dmpFilesize
64KB