Analysis
-
max time kernel
131s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 22:34
Static task
static1
Behavioral task
behavioral1
Sample
RFP_AllianxMexico_2022.doc
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
RFP_AllianxMexico_2022.doc
Resource
win10-en-20211208
General
-
Target
RFP_AllianxMexico_2022.doc
-
Size
3.2MB
-
MD5
b371e1c2ca2e5718e151760bc4664366
-
SHA1
73457d23e5235df0fcfbf6547aaf26cccc765011
-
SHA256
3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3
-
SHA512
b6d4ae4f09c8bb660d46dba8cce9a28a811af28f9364e38dc58da85bff011bf6ac21130a790a96ed9f015f27a916f6d8090a1712bb3f6192412f38381a7f4486
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1936 812 DW20.EXE WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 812 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
WINWORD.EXEpid process 812 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dwwin.exepid process 108 dwwin.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 812 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 812 WINWORD.EXE 812 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEDW20.EXEdescription pid process target process PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 812 wrote to memory of 1936 812 WINWORD.EXE DW20.EXE PID 1936 wrote to memory of 108 1936 DW20.EXE dwwin.exe PID 1936 wrote to memory of 108 1936 DW20.EXE dwwin.exe PID 1936 wrote to memory of 108 1936 DW20.EXE dwwin.exe PID 1936 wrote to memory of 108 1936 DW20.EXE dwwin.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFP_AllianxMexico_2022.doc"1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 12562⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 12563⤵
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259400802.cvrMD5
924bb5b2288a37dd1f27baaa3268fc13
SHA11434c500fe20dfd0f5558dc671fe6e69953fc24f
SHA25678b57801a219fbaacec23d54314f9d24b2b896dbe48a62ccf8f128652f578a05
SHA512d49d421a2407fcac118dcbe7be52af576b8d26130fdf2502bc083345cd01dc3825aff1ff38bb9e80541e68ffdc7621dfd658e0aaaa54b455ac61423e064c6065
-
memory/108-392-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/812-54-0x0000000072421000-0x0000000072424000-memory.dmpFilesize
12KB
-
memory/812-55-0x000000006FEA1000-0x000000006FEA3000-memory.dmpFilesize
8KB
-
memory/812-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/812-57-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/812-390-0x0000000007480000-0x0000000008481000-memory.dmpFilesize
16.0MB