Analysis
-
max time kernel
111s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:32
Static task
static1
Behavioral task
behavioral1
Sample
bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37.doc
Resource
win10v2004-20220414-en
General
-
Target
bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37.doc
-
Size
2.7MB
-
MD5
b3e3e01be28b21afa8a5a6058282a35a
-
SHA1
42651de9242843083d29249301513bf80d15032a
-
SHA256
bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37
-
SHA512
9e8b104a6a5805b2627b078fa852388cd5f4c959a3dd20ecb2396a23d625668f9d014d578f11ea59a93a804632d1efc6a288b1144e7eaebdb93a03a9af67a322
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mstsc.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 816 1552 mstsc.exe WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
WINWORD.EXEpid process 1552 WINWORD.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1552 WINWORD.EXE 1552 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE 1552 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1552 wrote to memory of 816 1552 WINWORD.EXE mstsc.exe PID 1552 wrote to memory of 816 1552 WINWORD.EXE mstsc.exe PID 1552 wrote to memory of 816 1552 WINWORD.EXE mstsc.exe PID 1552 wrote to memory of 816 1552 WINWORD.EXE mstsc.exe PID 1552 wrote to memory of 816 1552 WINWORD.EXE mstsc.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37.doc" /o ""1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\mstsc.exemstsc.exe2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vnp.dllFilesize
48KB
MD59ffe07e7cf5d17ad63ede21cd0dc14cc
SHA18b24205d7bf0b16d416fb888cc925874144b3f55
SHA25661eda78ddb6d83995e145927e0da7a83e0ea0cf783e6c663370c7faae8e10f70
SHA512e5eb4ef3c88f93b04d0f420c82c7fdca07246ecb3733daaeac34c4b36c09e95c7ec62553228c0baa4af253c4c140c64d5e116ab8d87b4bb443328d25eeafef7c
-
memory/1552-133-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-134-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-135-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-136-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-137-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-138-0x00007FFAD14A0000-0x00007FFAD14B0000-memory.dmpFilesize
64KB
-
memory/1552-139-0x00007FFAD14A0000-0x00007FFAD14B0000-memory.dmpFilesize
64KB
-
memory/1552-142-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-143-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-144-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB
-
memory/1552-145-0x00007FFAD3CF0000-0x00007FFAD3D00000-memory.dmpFilesize
64KB