Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 02:20
Behavioral task
behavioral1
Sample
bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
Resource
win10v2004-20240226-en
General
-
Target
bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc
-
Size
243KB
-
MD5
c7155ee36a292f7fd3ec128a5386bad3
-
SHA1
d2ebba5249076fdb49f5a70d8391882694478849
-
SHA256
bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea
-
SHA512
bc6c1e4c3c0588f98fc1ebea36ef1d3f5f52c13c8f039d793204be91d4ccd725693c6093ca3cbd3cbf13bf8c775f784ef608b1424a19b6b12f9e606eb8fe6436
-
SSDEEP
6144:Z2hxiaIlxQ1iXaF5H/FtDBoccgbb5UUELzt:ZsDIlxgiXabRpzEL
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3640 3704 Regsvr32.exe 92 -
Loads dropped DLL 1 IoCs
pid Process 3772 regsvr32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 76 api.ipify.org 77 api.ipify.org -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 8 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\plnfile\shell\open\command\ = "Regsvr32 /s \"C:/Users/Admin/AppData/Local/Temp/app.pln\"" WINWORD.EXE Key created \Registry\User\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.pln WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\.pln\ = "plnfile" WINWORD.EXE Key created \Registry\User\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\plnfile WINWORD.EXE Key created \Registry\User\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\plnfile\shell WINWORD.EXE Key created \Registry\User\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\plnfile\shell\open WINWORD.EXE Key created \Registry\User\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\plnfile\shell\open\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3704 WINWORD.EXE 3704 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3704 wrote to memory of 3640 3704 WINWORD.EXE 108 PID 3704 wrote to memory of 3640 3704 WINWORD.EXE 108 PID 3640 wrote to memory of 3772 3640 Regsvr32.exe 110 PID 3640 wrote to memory of 3772 3640 Regsvr32.exe 110 PID 3640 wrote to memory of 3772 3640 Regsvr32.exe 110 PID 3772 wrote to memory of 8 3772 regsvr32.exe 111 PID 3772 wrote to memory of 8 3772 regsvr32.exe 111 PID 3772 wrote to memory of 8 3772 regsvr32.exe 111
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbdbcec62526b94b38d7ab4e0e794efcc363cd7ec033f39c543c666378c317ea.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\Regsvr32.exe"Regsvr32.exe" /s "C:/Users/Admin/AppData/Local/Temp/app.pln"2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:/Users/Admin/AppData/Local/Temp/app.pln"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /sc minute /mo 10 /tn "EdgeUpdate" /tr "regsvr32.exe /s C:/Users/Admin/AppData/Local/Temp/app.pln" /f291 Connection: keep-alive Set-Cookie: stel_ssid=b7dc017117a2fa6fdf_5263559391557823068; expires=Fri, 29 Mar 2024 02(È{Ù04⤵
- Creates scheduled task(s)
PID:8
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:81⤵PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD586e9ce5acb23e1ce8fbd63ac2bcdae2e
SHA1a87d17f6008511b758e7e196ad0c48ef0e2c8a5e
SHA256f4e45d8de105c1d73091fc6d93106c5eef287f0cb3d97cdc6837f8f6d79ea447
SHA51236fb7daa1434c2feaf89031b4cd08cca99e2dd4b3831f0b8958b15d856d892e6bdb3374cf4d3ab7c2ba6c36a27c622bdf7bb6f53d71fb2af3161497deea52477