Analysis
-
max time kernel
542s -
max time network
119s -
platform
windows7_x64 -
resource
win7v200213 -
submitted
14-02-2020 05:24
Static task
static1
Behavioral task
behavioral1
Sample
malware.docx
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
General
-
Target
malware.docx
-
Size
455KB
-
MD5
ab284dccb09484ff6a3a116152edcb75
-
SHA1
68bfb664e9712195e83d401b5775c475842cb72d
-
SHA256
17f73a5cd04ca12f2a9b359d2871fc6bf198c4952dc715b57970eea0bd78471c
-
SHA512
5f58a93d32bedfa5d2aaef8ab27ed7a6e264f529295bbc8daadf8b2b8d85732ccfee3ae8d3b7e22f8c9d61f49cd61a098e8415e85b79674e977b0c0cc5b4e5f2
Score
8/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exepid process 1996 WINWORD.EXE 1996 WINWORD.EXE 1392 salesforce_Report.exe 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exedescription pid process target process PID 1996 wrote to memory of 1392 1996 WINWORD.EXE salesforce_Report.exe PID 1996 wrote to memory of 1392 1996 WINWORD.EXE salesforce_Report.exe PID 1996 wrote to memory of 1392 1996 WINWORD.EXE salesforce_Report.exe PID 1996 wrote to memory of 1392 1996 WINWORD.EXE salesforce_Report.exe PID 1392 wrote to memory of 1524 1392 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1392 wrote to memory of 1524 1392 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1392 wrote to memory of 1524 1392 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1392 wrote to memory of 1524 1392 salesforce_Report.exe 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe PID 1524 wrote to memory of 1644 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
salesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exepid process 1392 salesforce_Report.exe 1524 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe -
Loads dropped DLL 2 IoCs
Processes:
salesforce_Report.exepid process 1392 salesforce_Report.exe 1392 salesforce_Report.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeShutdownPrivilege 1996 WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1996 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware.docx"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
-
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
-
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
-
memory/1392-6-0x0000000000650000-0x0000000000684000-memory.dmpFilesize
208KB
-
memory/1524-11-0x0000000001C70000-0x0000000001CA4000-memory.dmpFilesize
208KB
-
memory/1524-13-0x0000000001EF0000-0x0000000001F21000-memory.dmpFilesize
196KB
-
memory/1996-0-0x00000000060F0000-0x00000000060F4000-memory.dmpFilesize
16KB