Resubmissions
09-06-2020 22:21
200609-59aaj585qn 10Analysis
-
max time kernel
150s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-06-2020 22:21
Static task
static1
Behavioral task
behavioral1
Sample
bid 06.09.2020.doc
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
bid 06.09.2020.doc
-
Size
117KB
-
MD5
604ffddf9b128893501e078cf20614b4
-
SHA1
00ab48b309631ea1420542e84792619fef594b0f
-
SHA256
ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997
-
SHA512
f5437529f735bbbbdc36891d49375eaaa2fe03b48b802dbc6826ede3e55ea337e7a61dc09249fb92c5da32717b58fc242ee80433bc473e8ddd49ad65c00512fb
Malware Config
Signatures
-
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE 868 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1116 868 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 868 wrote to memory of 1116 868 WINWORD.EXE regsvr32.exe PID 868 wrote to memory of 1116 868 WINWORD.EXE regsvr32.exe PID 868 wrote to memory of 1116 868 WINWORD.EXE regsvr32.exe PID 868 wrote to memory of 1116 868 WINWORD.EXE regsvr32.exe PID 868 wrote to memory of 1116 868 WINWORD.EXE regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1116 wrote to memory of 1148 1116 regsvr32.exe regsvr32.exe PID 1148 wrote to memory of 1592 1148 regsvr32.exe wscript.exe PID 1148 wrote to memory of 1592 1148 regsvr32.exe wscript.exe PID 1148 wrote to memory of 1592 1148 regsvr32.exe wscript.exe PID 1148 wrote to memory of 1592 1148 regsvr32.exe wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1148 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\76497199.dat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\76497199.dat3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE4⤵PID:1592
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2016