Analysis
-
max time kernel
300s -
max time network
198s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 14:35
Static task
static1
Behavioral task
behavioral1
Sample
direct.06.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
direct.06.21.doc
Resource
win10v20210410
General
-
Target
direct.06.21.doc
-
Size
45KB
-
MD5
fd6e7c4dc800744dd6fa8978e53f6d06
-
SHA1
cf3f4b86884bd1e09829d4b6068bba85fa38678a
-
SHA256
80716bed129a179e1774b3d825fbb7348369acba937005e32dc3577684bc6425
-
SHA512
ceb2a7abfe7aceef7ff87f14a970055d1cb99cf8aa082a94ad29bee3fc9f3e7e4fba316a6eaffefdd1516c455353119de39965d774a21216124e4fdec1db97af
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 956 2156 regsvr32.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3424 WINWORD.EXE 3424 WINWORD.EXE 2156 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 3424 WINWORD.EXE 3424 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 2156 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2156 wrote to memory of 956 2156 WINWORD.EXE regsvr32.exe PID 2156 wrote to memory of 956 2156 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct.06.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeC:\Windows\System32\regsvr32.exe c:\programdata\constException.jpg2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
1df8c47949f9b5d4ab72a4e5a16040d4
SHA1725e67a98b4014bae66504e2395b9dc02a7dff04
SHA2568ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed
SHA512ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
f3e4c2e0c5917ca52dcc8f43ddf393a5
SHA1b70d26da010fd6b83684204d13585a85446d1cf5
SHA256aae2a6798b5522b0edf978c513afe830900b29fee3091074357d73571500cc17
SHA51267221d1867b90cf99f61691aff5ae5ca85cb76c8a21c0ee872849a6163b4accfd8a3a7befd7fa30dddd2c2fc13b218f8d015e688a7c90158069ecfe406ba67bd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D87AE620-8C65-4B53-B734-CBBAE71FB994MD5
e44b65496b920951ffdadb97af3b00fb
SHA13e5f4a1a3434ac3c9491086403f28f2bf51e9ed5
SHA256e694db219954b3efee65d526e41a182b468c0f2c785c2a01d8f494d7461958a1
SHA512686830af8f3708b29a19fa67fd81be03d185c960a4a8440a8458416cb4ad945800cddf99d54022f44636853ddb2e36f1bc65baeeecfe7bb4b72a1d912a036c4d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
a015415df138876ab6b9a0ce4feacbeb
SHA13035ad737ca660704f08b043323623f232ed25d7
SHA25676f49543e9705831531d1b47dc04040d9a1a04e078cbe801f48a34e92b8585ec
SHA512844c74ba5dca228a4a159adb2ba39e007dd6531a7329accc821b34c70efa6ea7de96d5d4a40a7fbcb561885811dfd45496d5ade8575bf0243e41656440513cd7
-
\??\c:\programdata\constException.jpgMD5
4fa06a1a81e16277e229363102fd61bd
SHA1f8d727d8856ec9b4a21bf78c2022add23e7921b3
SHA256e6df10e459e8266cee52ef3520326d7b8d0dacb7a44ffa025966777a8e1aba8f
SHA5122cd7ce2afebabdec2b7ce82bee9dfbd68cdfeee4968ff9887178cf57d1e066fc0dfe6fc319c07a5e599d3915cd8cee90f1fdef34068c0e74532f38aebd2edf10
-
memory/956-181-0x0000000000000000-mapping.dmp
-
memory/3424-117-0x00007FF810580000-0x00007FF810590000-memory.dmpFilesize
64KB
-
memory/3424-123-0x00007FF8298A0000-0x00007FF82B795000-memory.dmpFilesize
31.0MB
-
memory/3424-122-0x00007FF82BBF0000-0x00007FF82CCDE000-memory.dmpFilesize
16.9MB
-
memory/3424-118-0x00007FF831EE0000-0x00007FF834A03000-memory.dmpFilesize
43.1MB
-
memory/3424-119-0x00007FF810580000-0x00007FF810590000-memory.dmpFilesize
64KB
-
memory/3424-114-0x00007FF810580000-0x00007FF810590000-memory.dmpFilesize
64KB
-
memory/3424-116-0x00007FF810580000-0x00007FF810590000-memory.dmpFilesize
64KB
-
memory/3424-115-0x00007FF810580000-0x00007FF810590000-memory.dmpFilesize
64KB