Analysis
-
max time kernel
1168s -
max time network
959s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 16:08
Behavioral task
behavioral1
Sample
invisible_shields.docm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invisible_shields.docm
Resource
win10v2004-20221111-en
General
-
Target
invisible_shields.docm
-
Size
264KB
-
MD5
a219cb562f2365f2899410772193a74a
-
SHA1
136709ca3f9ba4646f59d40ffd892b4a51b452bb
-
SHA256
43fd8d207da16fd3acff874b90819272a8fb0ac1c81c4fcb7a37e2caad345829
-
SHA512
e2ab830b7bdcdc1099413e78050d86610fa82766bc87319398196a6797caf10158d83981b98fda50367dd846c2d6d87519a52daa566312031d078ccd9817693b
-
SSDEEP
6144:/xE0cCW+Gai6zM6oPeek5qqaeLeqNwBIXmRthL:/xp/ziEMPPW5qGwaWHhL
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
NTFS ADS 30 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x64_000_vcRuntimeMinimum_x64 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x86.log-MSI_vc_red.msi (2).txt:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x64_0_vcRuntimeMinimum_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x64_001_vcRuntimeAdditional_x64 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x86_000_vcRuntimeMinimum_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x64_1_vcRuntimeAdditional_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x86_1_vcRuntimeAdditional_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x64_000_vcRuntimeMinimum_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x86_001_vcRuntimeAdditional_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x86_0_vcRuntimeMinimum_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x86_001_vcRuntimeAdditional_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x86_1_vcRuntimeAdditional_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x86_000_vcRuntimeMinimum_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x64_001_vcRuntimeAdditional_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x86_000_vcRuntimeMinimum_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x64.log-MSI_vc_red.msi.txt:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x86.log.html:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x64_000_vcRuntimeMinimum_x64 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x64_001_vcRuntimeAdditional_x64 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x86_001_vcRuntimeAdditional_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x64.log-MSI_vc_red.msi (2).txt:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x86_0_vcRuntimeMinimum_x86 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x64_001_vcRuntimeAdditional_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2013_x86_000_vcRuntimeMinimum_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x64_000_vcRuntimeMinimum_x64.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2022_x86_001_vcRuntimeAdditional_x86.log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x86.log (2).html:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2010_x86.log-MSI_vc_red.msi.txt:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x64_0_vcRuntimeMinimum_x64 (2).log:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{0F55AB41-86C5-4015-9EEF-E2C459874CB9}\vcredist2012_x64_1_vcRuntimeAdditional_x64 (2).log:Zone.Identifier WINWORD.EXE -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 3424 NOTEPAD.EXE 1372 NOTEPAD.EXE 4288 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4376 WINWORD.EXE 4376 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
WINWORD.EXEpid process 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
WINWORD.EXEpid process 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE 4376 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4376 wrote to memory of 3000 4376 WINWORD.EXE splwow64.exe PID 4376 wrote to memory of 3000 4376 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\invisible_shields.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\debug\PASSWD.LOG1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\debug\sammui.log1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\debug\NetSetup.LOG1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3000-139-0x0000000000000000-mapping.dmp
-
memory/4376-132-0x00007FFAD9750000-0x00007FFAD9760000-memory.dmpFilesize
64KB
-
memory/4376-133-0x00007FFAD9750000-0x00007FFAD9760000-memory.dmpFilesize
64KB
-
memory/4376-134-0x00007FFAD9750000-0x00007FFAD9760000-memory.dmpFilesize
64KB
-
memory/4376-135-0x00007FFAD9750000-0x00007FFAD9760000-memory.dmpFilesize
64KB
-
memory/4376-136-0x00007FFAD9750000-0x00007FFAD9760000-memory.dmpFilesize
64KB
-
memory/4376-137-0x00007FFAD6FA0000-0x00007FFAD6FB0000-memory.dmpFilesize
64KB
-
memory/4376-138-0x00007FFAD6FA0000-0x00007FFAD6FB0000-memory.dmpFilesize
64KB