Resubmissions
14-02-2020 12:41
200214-c8mbcdxx2n 814-02-2020 08:55
200214-nwlkaf1l7j 814-02-2020 05:56
200214-v1sx1y43kx 8Analysis
-
max time kernel
283s -
max time network
47s -
platform
windows7_x64 -
resource
win7v200213 -
submitted
14-02-2020 12:41
Static task
static1
Behavioral task
behavioral1
Sample
malware.docx
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
General
-
Target
malware.docx
-
Size
455KB
-
MD5
ab284dccb09484ff6a3a116152edcb75
-
SHA1
68bfb664e9712195e83d401b5775c475842cb72d
-
SHA256
17f73a5cd04ca12f2a9b359d2871fc6bf198c4952dc715b57970eea0bd78471c
-
SHA512
5f58a93d32bedfa5d2aaef8ab27ed7a6e264f529295bbc8daadf8b2b8d85732ccfee3ae8d3b7e22f8c9d61f49cd61a098e8415e85b79674e977b0c0cc5b4e5f2
Score
8/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 992 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exepid process 992 WINWORD.EXE 992 WINWORD.EXE 1704 salesforce_Report.exe 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE 992 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exedescription pid process target process PID 992 wrote to memory of 1704 992 WINWORD.EXE salesforce_Report.exe PID 992 wrote to memory of 1704 992 WINWORD.EXE salesforce_Report.exe PID 992 wrote to memory of 1704 992 WINWORD.EXE salesforce_Report.exe PID 992 wrote to memory of 1704 992 WINWORD.EXE salesforce_Report.exe PID 1704 wrote to memory of 1752 1704 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1704 wrote to memory of 1752 1704 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1704 wrote to memory of 1752 1704 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1704 wrote to memory of 1752 1704 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1752 wrote to memory of 1756 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
salesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exepid process 1704 salesforce_Report.exe 1752 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe -
Loads dropped DLL 2 IoCs
Processes:
salesforce_Report.exepid process 1704 salesforce_Report.exe 1704 salesforce_Report.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware.docx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
-
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
memory/992-0-0x0000000005A70000-0x0000000005A74000-memory.dmpFilesize
16KB
-
memory/1704-6-0x00000000004C0000-0x00000000004F4000-memory.dmpFilesize
208KB
-
memory/1752-11-0x00000000005C0000-0x00000000005F4000-memory.dmpFilesize
208KB
-
memory/1752-13-0x0000000000800000-0x0000000000831000-memory.dmpFilesize
196KB