Task
task1
Sample
Docs_caa116070d1f2f48f3a9964e695226cc.17.docx
Resource
win7
0 signatures
Task
task2
Sample
Docs_caa116070d1f2f48f3a9964e695226cc.17.docx
Resource
win10
0 signatures
General
-
Target
Docs_caa116070d1f2f48f3a9964e695226cc.17
-
Sample
190917-dr4x6669xx
-
SHA256
9fe890f4a1393ef301e24b02ab3c173f230ad7a982808ce6daf130c861422208
Score
N/A
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener
-
Suspicious use of SetWindowsHookEx
-
at description ioc Process 10828 File created C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm WINWORD.EXE 11312 File created C:\Users\Admin\AppData\Local\Temp\~$cs_caa116070d1f2f48f3a9964e695226cc.17.docx WINWORD.EXE -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
at description ioc Process 11250 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer WINWORD.EXE 11250 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName WINWORD.EXE -
Enumerates system info in registry 2 TTPs 5 IoCs
at description ioc Process 11250 Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE 11250 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE 11265 Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE 11265 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE 11265 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs
at description ioc Process 11250 Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE 11250 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Suspicious use of WriteProcessMemory 1 IoCs
at description Process procid_target 14593 PID 4076 wrote to memory of 2812 SppExtComObj.exe 42
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_caa116070d1f2f48f3a9964e695226cc.17.docx" /o ""1⤵
- Drops Office document
- Checks system information in the registry (likely anti-VM)
- Enumerates system info in registry
- Checks processor information in registry (likely anti-VM)
PID:2976
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4076
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:2812