Analysis
-
max time kernel
171s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-06-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm
Resource
win10v2004-20220414-en
General
-
Target
14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm
-
Size
51KB
-
MD5
577eab90797f2804a44cce6241eb9c22
-
SHA1
6bee48fb567b6f0acc2cd129741f0351b961c89f
-
SHA256
14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379
-
SHA512
e5a5140424c5dcfccd2dafc34bdf2232dd2d046dd933f47053b9278ccf1f67e3a61110da0c81c9f419a42a0a4538c97c5dba1b8a6dba800d0186b69a07d9770c
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
metasploit
windows/reverse_http
http://191.101.42.179:8080/HxJOy7n0CJvydvN3qZ2FLgqSDe-upNDe0J0Ts0S_QVE3U8qmdyykRSnD6T_HvD7La8DNmDu0GFUno6sSH6E1kyH1KFLrK-sU2mx6mwqnG4gBWa7BSH61LeWes6_ip9ijxEIdPAmYbrc9mOjG3ohA4KJrSn_hMCCfI9Pc_7hBhp
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
txqTrPLp.exepid process 4172 txqTrPLp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 868 WINWORD.EXE 868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 868 wrote to memory of 4172 868 WINWORD.EXE txqTrPLp.exe PID 868 wrote to memory of 4172 868 WINWORD.EXE txqTrPLp.exe PID 868 wrote to memory of 4172 868 WINWORD.EXE txqTrPLp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\14bd8ce373bf64dc8f78775f284ce5449cc350796a4b53c27505c4f9bcba0379.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\txqTrPLp.exeC:\Users\Admin\txqTrPLp.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\txqTrPLp.exeFilesize
4KB
MD54788af93cfbfc6fa40602c34205e8f78
SHA127846a108f37d617ea2b062673a7cddb62ea1a71
SHA256212f19c7162e353259d30000502c8bc7b938f26398596beaff56dbf2577f8307
SHA5123c70a46284006805ab14d99b834c1192a31ebe4912312e6d4a9b6db5d608d5603c8210e47c5eefc85ebf9d1e648aff53043f0d64d64c66fe58482df9b6d27746
-
C:\Users\Admin\txqTrPLp.exeFilesize
4KB
MD54788af93cfbfc6fa40602c34205e8f78
SHA127846a108f37d617ea2b062673a7cddb62ea1a71
SHA256212f19c7162e353259d30000502c8bc7b938f26398596beaff56dbf2577f8307
SHA5123c70a46284006805ab14d99b834c1192a31ebe4912312e6d4a9b6db5d608d5603c8210e47c5eefc85ebf9d1e648aff53043f0d64d64c66fe58482df9b6d27746
-
memory/868-143-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-130-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-134-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-135-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmpFilesize
64KB
-
memory/868-136-0x00007FFC474A0000-0x00007FFC474B0000-memory.dmpFilesize
64KB
-
memory/868-132-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-146-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-145-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-131-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-144-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/868-133-0x00007FFC49CD0000-0x00007FFC49CE0000-memory.dmpFilesize
64KB
-
memory/4172-141-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/4172-139-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/4172-137-0x0000000000000000-mapping.dmp