Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
22-05-2020 16:50
Static task
static1
Behavioral task
behavioral1
Sample
bid_05.20.doc
Resource
win7v200430
General
-
Target
bid_05.20.doc
-
Size
93KB
-
MD5
c20c9b35bb637f123e13d76b9856be94
-
SHA1
b5d2640247e6ef9424741cf2cfd47f9b837f252a
-
SHA256
d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c
-
SHA512
03365c04e0e09d02fe6cd6fa41e68eab9c50878f29f8b2f74c93773abc207d765069183476d33d800141f8e4398558a57f639cfd0d2674465e09ae80121856fe
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1292 748 regsvr32.exe WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 748 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 748 WINWORD.EXE 748 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE 748 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 748 wrote to memory of 1292 748 WINWORD.EXE regsvr32.exe PID 748 wrote to memory of 1292 748 WINWORD.EXE regsvr32.exe PID 748 wrote to memory of 1292 748 WINWORD.EXE regsvr32.exe PID 748 wrote to memory of 1292 748 WINWORD.EXE regsvr32.exe PID 748 wrote to memory of 1292 748 WINWORD.EXE regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\36586915.dat2⤵
- Process spawned unexpected child process
PID:1292
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
27759b5877264eb385bb1d290296d066
SHA19bbc815b15c1affcbb7185d993803d9efc890829
SHA2567c0e9f60f353dd3705a96a41980aaf84dead5336420902084e757ca6e3feea18
SHA5125d9dcdce1ddde1b2cedd74b77c59b424b14f5b32ebe0440a1c24168c3b0f1320702a3cacfbf6553da0e230541acbc4aeaaca7ed87c5f97234b2b008df1812bc4