Analysis
-
max time kernel
139s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
22-05-2020 16:50
Static task
static1
Behavioral task
behavioral1
Sample
bid_05.20.doc
Resource
win7v200430
General
-
Target
bid_05.20.doc
-
Size
93KB
-
MD5
c20c9b35bb637f123e13d76b9856be94
-
SHA1
b5d2640247e6ef9424741cf2cfd47f9b837f252a
-
SHA256
d506a7e9111252495ae25542a3dcc2d0a142447e2499b191bd76098f0f32859c
-
SHA512
03365c04e0e09d02fe6cd6fa41e68eab9c50878f29f8b2f74c93773abc207d765069183476d33d800141f8e4398558a57f639cfd0d2674465e09ae80121856fe
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1644 1740 regsvr32.exe WINWORD.EXE -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\OuJnXEmSq.OZcyY valak C:\Users\Public\OuJnXEmSq.OZcyY valak_js -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3016 regsvr32.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\OuJnXEmSq.OZcyY js -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1740 WINWORD.EXE 1740 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE 1740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 1740 wrote to memory of 1644 1740 WINWORD.EXE regsvr32.exe PID 1740 wrote to memory of 1644 1740 WINWORD.EXE regsvr32.exe PID 1644 wrote to memory of 3016 1644 regsvr32.exe regsvr32.exe PID 1644 wrote to memory of 3016 1644 regsvr32.exe regsvr32.exe PID 1644 wrote to memory of 3016 1644 regsvr32.exe regsvr32.exe PID 3016 wrote to memory of 1936 3016 regsvr32.exe wscript.exe PID 3016 wrote to memory of 1936 3016 regsvr32.exe wscript.exe PID 3016 wrote to memory of 1936 3016 regsvr32.exe wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid_05.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\36586915.dat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\36586915.dat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\OuJnXEmSq.OZcyY4⤵PID:1936
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
068586bbe8e155cad3938dc19d742a37
SHA1b42234fa85c7bdde8d1e6e2c349e95a02c90bfe7
SHA256c9bebbf66481080359a2e4e1de51f5c2ef6973e8f8588d5323e8e4be9ae66647
SHA512f670b281e51403eb3f39027059100f476b95a9310af93b86976e974d3d69f031cd392483281a83d32b8f2b27f597161359e249bd9542af692fe3ef1e5f7b5464
-
MD5
3acef680d63f6749c2aa4f70290b9711
SHA103e5346225fdd08cb44326cf502e8f9854301622
SHA256d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631
SHA512c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c
-
MD5
3acef680d63f6749c2aa4f70290b9711
SHA103e5346225fdd08cb44326cf502e8f9854301622
SHA256d36ed440154bf6ca7839640726071eb4b03364dc39de974a1d0077a6dd55f631
SHA512c7c9ba8d879e58e82e80b6def480291869438ccacc88cded1171b27012f22e7ec6823d3f67060be0ab8e2afd24487f3b9d6376edfc76246af0338a133510b82c