Resubmissions

22-05-2020 16:50

200522-jwvt9cagt6 10

22-05-2020 16:43

200522-gl21s88ymx 10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    22-05-2020 16:50

General

  • Target

    bid_05.20.doc

  • Size

    93KB

  • MD5

    c20c9b35bb637f123e13d76b9856be94

  • SHA1

    b5d2640247e6ef9424741cf2cfd47f9b837f252a

  • SHA256

    d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c

  • SHA512

    03365c04e0e09d02fe6cd6fa41e68eab9c50878f29f8b2f74c93773abc207d765069183476d33d800141f8e4398558a57f639cfd0d2674465e09ae80121856fe

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\system32\regsvr32.exe
      regsvr32 c:\programdata\36586915.dat
      2⤵
      • Process spawned unexpected child process
      PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\programdata\36586915.dat

    MD5

    27759b5877264eb385bb1d290296d066

    SHA1

    9bbc815b15c1affcbb7185d993803d9efc890829

    SHA256

    7c0e9f60f353dd3705a96a41980aaf84dead5336420902084e757ca6e3feea18

    SHA512

    5d9dcdce1ddde1b2cedd74b77c59b424b14f5b32ebe0440a1c24168c3b0f1320702a3cacfbf6553da0e230541acbc4aeaaca7ed87c5f97234b2b008df1812bc4