Overview
overview
10Static
static
100f56c5738a...f08901
linux_amd64
0f56c5738a...f08901
linux_mipsel
0f56c5738a...f08901
linux_mips
219156c025...f0.exe
windows7_x64
10219156c025...f0.exe
windows10_x64
102a0f53dd66...03.exe
windows7_x64
102a0f53dd66...03.exe
windows10_x64
1036ef5e0db1...a0.exe
windows7_x64
1036ef5e0db1...a0.exe
windows10_x64
104072fc745a...65.exe
windows7_x64
104072fc745a...65.exe
windows10_x64
1042c8ded976...95.exe
windows7_x64
1042c8ded976...95.exe
windows10_x64
1052969fae09...5d.rtf
windows7_x64
1052969fae09...5d.rtf
windows10_x64
10571de4698e...31.exe
windows7_x64
10571de4698e...31.exe
windows10_x64
1057bb59a2c4...52.rtf
windows7_x64
1057bb59a2c4...52.rtf
windows10_x64
10662fbe23c8...0a.exe
windows7_x64
10662fbe23c8...0a.exe
windows10_x64
1070d5a71e82...91.dll
windows7_x64
170d5a71e82...91.dll
windows10_x64
171d384c258...86.exe
windows7_x64
1071d384c258...86.exe
windows10_x64
1079745c2263...9d.exe
windows7_x64
1079745c2263...9d.exe
windows10_x64
1083c46c1972...c3.exe
windows7_x64
1083c46c1972...c3.exe
windows10_x64
108cecb6b01a...d0.exe
windows7_x64
108cecb6b01a...d0.exe
windows10_x64
10a3feb5265e...66.exe
windows7_x64
10Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-07-2021 15:26
Behavioral task
behavioral1
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
ubuntu-amd64
Behavioral task
behavioral2
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsel
Behavioral task
behavioral3
Sample
0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
Resource
debian9-mipsbe
Behavioral task
behavioral4
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win7v20210408
Behavioral task
behavioral5
Sample
219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win7v20210410
Behavioral task
behavioral7
Sample
2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
Resource
win10v20210410
Behavioral task
behavioral8
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win7v20210408
Behavioral task
behavioral9
Sample
36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Resource
win10v20210410
Behavioral task
behavioral10
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win7v20210408
Behavioral task
behavioral11
Sample
4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
Resource
win10v20210410
Behavioral task
behavioral12
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win7v20210408
Behavioral task
behavioral13
Sample
42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
Resource
win10v20210410
Behavioral task
behavioral14
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win7v20210408
Behavioral task
behavioral15
Sample
52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf
Resource
win10v20210410
Behavioral task
behavioral16
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win7v20210410
Behavioral task
behavioral17
Sample
571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win7v20210410
Behavioral task
behavioral19
Sample
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
Resource
win10v20210408
Behavioral task
behavioral20
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win7v20210410
Behavioral task
behavioral21
Sample
662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win7v20210410
Behavioral task
behavioral23
Sample
70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll
Resource
win10v20210408
Behavioral task
behavioral24
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win7v20210408
Behavioral task
behavioral25
Sample
71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
Resource
win10v20210410
Behavioral task
behavioral26
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win7v20210410
Behavioral task
behavioral27
Sample
79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
Resource
win10v20210410
Behavioral task
behavioral28
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win7v20210408
Behavioral task
behavioral29
Sample
83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
Resource
win10v20210410
Behavioral task
behavioral30
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
Resource
win10v20210408
Behavioral task
behavioral32
Sample
a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe
Resource
win7v20210410
General
-
Target
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf
-
Size
662KB
-
MD5
47a5e618c809f1f37bccced9d3536deb
-
SHA1
da3a6f5851537edffcc29e9bf4282d552090ce6e
-
SHA256
57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752
-
SHA512
0d4f429f517b2d2045ef32e3a8e3f86b9a250e7f666398d88409a9a56e2a155baef2decf3c167941cd7da28b503241a6f9553d3ca06094bb965781097cb7a18c
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
FLTLDR.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3644 784 FLTLDR.EXE WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 10 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\MAPPINGS\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\CHILDREN WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\Moniker = "oice_16_974fa576_32c1d314_1e11" WINWORD.EXE Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11 WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11 WINWORD.EXE Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\OICE_16_974FA576_32C1D314_1E11\CHILDREN WINWORD.EXE Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\DisplayName = "OICE_16_974FA576_32C1D314_1E11" WINWORD.EXE Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\Children WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{683C9910-647D-49CA-B8ED-A9F2AE771570}\abdtfhghgdghghœ.ScT:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE 784 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE 784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 784 wrote to memory of 3644 784 WINWORD.EXE FLTLDR.EXE PID 784 wrote to memory of 3644 784 WINWORD.EXE FLTLDR.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_1e11\AC\Temp\FLD509.tmpMD5
263ff32cc8b100ddcef2fede237bdcbb
SHA13faab71d14c778b6d7090e508dc68c6fc1a738fe
SHA256acb51bb46e7b6f5c713c68b63c9193516fae376b7214fb102700d08097ad33e2
SHA512bde84fc92350935f7e5e4edc15095568bb33463ce427a97d54b28d4873231ee70cfea682aae75f0d50d9ad9bc4bd986bc8a529b71ff3dcbbeb450e48b9b273fe
-
memory/784-125-0x00007FFDF4780000-0x00007FFDF586E000-memory.dmpFilesize
16.9MB
-
memory/784-119-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/784-120-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/784-121-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/784-122-0x00007FFDF8250000-0x00007FFDFAD73000-memory.dmpFilesize
43.1MB
-
memory/784-117-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/784-126-0x00007FFDF2250000-0x00007FFDF4145000-memory.dmpFilesize
31.0MB
-
memory/784-118-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/3644-363-0x0000000000000000-mapping.dmp
-
memory/3644-365-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/3644-366-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/3644-367-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/3644-369-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB