Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 08:53
Static task
static1
Behavioral task
behavioral1
Sample
Inq PO-000202120741.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Inq PO-000202120741.doc
Resource
win10-en-20210920
General
-
Target
Inq PO-000202120741.doc
-
Size
535KB
-
MD5
4ef6b1fa16f352e1969080579b832ee3
-
SHA1
d4b85b188ad50ef69c1a238b979a1db7f0d4970d
-
SHA256
29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b
-
SHA512
85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
FLTLDR.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2756 2384 FLTLDR.EXE WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 10 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676 WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_3f64 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676\DisplayName = "OICE_16_974FA576_32C1D314_3F64" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676\Moniker = "oice_16_974fa576_32c1d314_3f64" WINWORD.EXE Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676\Children WINWORD.EXE Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_3f64 WINWORD.EXE Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_3f64\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_3f64\Children WINWORD.EXE Key deleted \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676\Children WINWORD.EXE Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-929765457-302519269-2366181145-3766945742-4144916912-2941136712-3588316676 WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{E49BD243-FCED-46E5-8C43-7F8BE3C23DBA}\abdtfhghgeghDh.ScT:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2384 wrote to memory of 2756 2384 WINWORD.EXE FLTLDR.EXE PID 2384 wrote to memory of 2756 2384 WINWORD.EXE FLTLDR.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inq PO-000202120741.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT2⤵
- Process spawned unexpected child process
PID:2756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f8619e01a08514e4d00d75cc4136e190
SHA13477cd2a1aee1500576d49ca8343bed286b4dab6
SHA256f3bcfa3b579b37a2a388b808862050b7c0439df24b24c650ba14e780059bede2
SHA512328348f21e4f363975f2fbe7f85704dd72b84051196f3a4e53c60eb05511be5a85c9edfb0701d0b59566cd77490f93999262120353119602c012d0ad7b3e0149