Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 04:41
Static task
static1
Behavioral task
behavioral1
Sample
13dfaa0581c1c89dde1f8335b58a766bf4fb7425c9a8f863e6ef11e1785c299d.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13dfaa0581c1c89dde1f8335b58a766bf4fb7425c9a8f863e6ef11e1785c299d.docm
Resource
win10v2004-20220414-en
General
-
Target
13dfaa0581c1c89dde1f8335b58a766bf4fb7425c9a8f863e6ef11e1785c299d.docm
-
Size
83KB
-
MD5
809bd1fb131542f384d23442b7655693
-
SHA1
b177f312231218fc98734d168d9fa242fffe2c9b
-
SHA256
13dfaa0581c1c89dde1f8335b58a766bf4fb7425c9a8f863e6ef11e1785c299d
-
SHA512
46b179d0085387924801f8f7e6dede9ba51b6c3377d93b74bcb483675e0c9f23f2668dd99f80d7b69f5324ea4968de1c9d86ae678ffa231b78ff328b38ec921a
Malware Config
Extracted
metasploit
windows/reverse_http
http://165.22.98.128:1123/1YPtJmGLMwIg8iHzfQcrhw02H1QR60AJRBxn_HQe1mbt8CU5iTyqdtvUdThyIbXUFXPYBsieg-AKGb5gjzTxsjlB4pkVxFxNVc6dIkzzeyIElqNmIPrYHqZGu47nu6Rq6tf1NquEd868SjRW8zUuThVVU8tQ4iG-GZcaIhBjUOwKo-V0q3z47Z5EYOHEnWMYxjHGOcOLSHylPE4O_E0Bi1DAy
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
radD3B3A.tmp.exepid process 3536 radD3B3A.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE 1520 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1520 wrote to memory of 3536 1520 WINWORD.EXE radD3B3A.tmp.exe PID 1520 wrote to memory of 3536 1520 WINWORD.EXE radD3B3A.tmp.exe PID 1520 wrote to memory of 3536 1520 WINWORD.EXE radD3B3A.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\13dfaa0581c1c89dde1f8335b58a766bf4fb7425c9a8f863e6ef11e1785c299d.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radD3B3A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\radD3B3A.tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\radD3B3A.tmp.exeFilesize
72KB
MD5b615e4a09814f631503304c97dfec233
SHA127852f4cf4a6f34e32d97e917d028948902c5625
SHA25651e7b89eb3fde57ba53816297fe2cf08ffdd7ac508b9025146763adb2b5e2580
SHA512e8a510bae716db445c702c7509e0c3dd8593404850b47f5fa24feb1256b8b0dbb561edd51df20141b8032c024f18882d8b6655c56b7f38c66beb8d2a6a57736e
-
C:\Users\Admin\AppData\Local\Temp\radD3B3A.tmp.exeFilesize
72KB
MD5b615e4a09814f631503304c97dfec233
SHA127852f4cf4a6f34e32d97e917d028948902c5625
SHA25651e7b89eb3fde57ba53816297fe2cf08ffdd7ac508b9025146763adb2b5e2580
SHA512e8a510bae716db445c702c7509e0c3dd8593404850b47f5fa24feb1256b8b0dbb561edd51df20141b8032c024f18882d8b6655c56b7f38c66beb8d2a6a57736e
-
memory/1520-130-0x00007FFADE430000-0x00007FFADE440000-memory.dmpFilesize
64KB
-
memory/1520-131-0x00007FFADE430000-0x00007FFADE440000-memory.dmpFilesize
64KB
-
memory/1520-132-0x00007FFADE430000-0x00007FFADE440000-memory.dmpFilesize
64KB
-
memory/1520-133-0x00007FFADE430000-0x00007FFADE440000-memory.dmpFilesize
64KB
-
memory/1520-134-0x00007FFADE430000-0x00007FFADE440000-memory.dmpFilesize
64KB
-
memory/1520-135-0x00007FFADC320000-0x00007FFADC330000-memory.dmpFilesize
64KB
-
memory/1520-136-0x00007FFADC320000-0x00007FFADC330000-memory.dmpFilesize
64KB
-
memory/3536-137-0x0000000000000000-mapping.dmp