Analysis
-
max time kernel
142s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 06:15
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE 00082925.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
INVOICE 00082925.doc
Resource
win10v20210410
General
-
Target
INVOICE 00082925.doc
-
Size
1.0MB
-
MD5
3347d22680185efb3cd73d55b55a5c6d
-
SHA1
36f0afde99cdabe38dbe7c281b61c17b1ca41372
-
SHA256
5f815bd7f39cccb4b92bea3d36861d6844eeea3307e86b237d794c660d1305c3
-
SHA512
54cd4b8033702d2192fe8d860df7a092a23675e1bf6450f5cc3862346ef6f078b6b3de03da81d246284adf8f7a9362909fde5efa361ce9135e9c29f64a0461db
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
FLTLDR.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3176 3904 FLTLDR.EXE WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 10 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353 WINWORD.EXE Key created \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_6aa WINWORD.EXE Key created \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_6aa\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353\DisplayName = "OICE_16_974FA576_32C1D314_6AA" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353\Moniker = "oice_16_974fa576_32c1d314_6aa" WINWORD.EXE Key created \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-683449003-4070520733-2096941571-489723438-3756341991-3158209938-1414602353\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_6aa\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_6aa WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{9BD4C6A0-9760-4FA8-8F44-C0E1EDB0DCFC}\abdtfhghgdghghœ.ScT:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3904 WINWORD.EXE 3904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3904 wrote to memory of 3176 3904 WINWORD.EXE FLTLDR.EXE PID 3904 wrote to memory of 3176 3904 WINWORD.EXE FLTLDR.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE 00082925.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_6aa\AC\Temp\FL43D5.tmpMD5
f9e08d5127fd232b5b315f4ad4b4d3f6
SHA1070cf71c40068e159342196407b26eb1b19268f3
SHA256b7432aa4635aeaf0304c9cc33fa040360ab7b8b006435885b944c6a48092f066
SHA512627ade2ef4201c974733355a945f84545d379037a022c60841800576d01deead23483bb80f012deef94f119546f4c231cfa7816f030f381626166b80df36892b
-
memory/3176-348-0x0000000000000000-mapping.dmp
-
memory/3176-371-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3176-364-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3176-363-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3176-362-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-117-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-123-0x00007FF83D200000-0x00007FF83F0F5000-memory.dmpFilesize
31.0MB
-
memory/3904-122-0x00007FF83F100000-0x00007FF8401EE000-memory.dmpFilesize
16.9MB
-
memory/3904-118-0x00007FF845680000-0x00007FF8481A3000-memory.dmpFilesize
43.1MB
-
memory/3904-119-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-114-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-116-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-115-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB