Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm
Resource
win10v2004-20220414-en
General
-
Target
6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm
-
Size
83KB
-
MD5
b3cd1fbbfa7e1fcf124ebb986db5925b
-
SHA1
90ef51a3601f6c4fc4a588e4f911c0dcc0b7df83
-
SHA256
6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7
-
SHA512
084ea2e44662bacea593479e7289102569b721df327e49a10ee42495197f10bf3b0b8a8cd033b2d9b1c435ce76f92308d65152d2d2baf3902ff5578c56a84323
Malware Config
Extracted
metasploit
windows/reverse_tcp
192.168.1.47:4444
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
rad5C9E0.tmp.exepid process 3652 rad5C9E0.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 632 wrote to memory of 3652 632 WINWORD.EXE rad5C9E0.tmp.exe PID 632 wrote to memory of 3652 632 WINWORD.EXE rad5C9E0.tmp.exe PID 632 wrote to memory of 3652 632 WINWORD.EXE rad5C9E0.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6bed7ef049d8d9728a09a94488ac8670c9c20c0e6c294f80fd2153c37a2bead7.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exeFilesize
72KB
MD5a2dd0d59f4f6e65aa10a118631a90182
SHA1af2e14aa2827265fb2bf96d3ea1eb40b314706fc
SHA2565d8fe64ff6c4ea4d55aec497140578f3b98072c07bda4eacd6ad816f76ad40b4
SHA512298d7149e3eb178ab21bd30aa3126a2c8480cdcb0f829273e0fbc1c97892c34e905eb8da57f83bed22bfb0e8484aff3f6921858f781a1dbb9fe4191839be66e7
-
C:\Users\Admin\AppData\Local\Temp\rad5C9E0.tmp.exeFilesize
72KB
MD5a2dd0d59f4f6e65aa10a118631a90182
SHA1af2e14aa2827265fb2bf96d3ea1eb40b314706fc
SHA2565d8fe64ff6c4ea4d55aec497140578f3b98072c07bda4eacd6ad816f76ad40b4
SHA512298d7149e3eb178ab21bd30aa3126a2c8480cdcb0f829273e0fbc1c97892c34e905eb8da57f83bed22bfb0e8484aff3f6921858f781a1dbb9fe4191839be66e7
-
memory/632-130-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/632-132-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/632-131-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/632-133-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/632-134-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/632-135-0x00007FFC93100000-0x00007FFC93110000-memory.dmpFilesize
64KB
-
memory/632-136-0x00007FFC93100000-0x00007FFC93110000-memory.dmpFilesize
64KB
-
memory/3652-137-0x0000000000000000-mapping.dmp