Analysis
-
max time kernel
539s -
max time network
359s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-06-2020 22:33
Static task
static1
Behavioral task
behavioral1
Sample
bid 06.09.2020.doc
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
bid 06.09.2020.doc
-
Size
117KB
-
MD5
604ffddf9b128893501e078cf20614b4
-
SHA1
00ab48b309631ea1420542e84792619fef594b0f
-
SHA256
ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997
-
SHA512
f5437529f735bbbbdc36891d49375eaaa2fe03b48b802dbc6826ede3e55ea337e7a61dc09249fb92c5da32717b58fc242ee80433bc473e8ddd49ad65c00512fb
Score
10/10
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
Processes:
WmiApSrv.exedescription ioc process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WmiApSrv.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WmiApSrv.exe File created C:\Windows\system32\PerfStringBackup.TMP WmiApSrv.exe File opened for modification C:\Windows\system32\PerfStringBackup.INI WmiApSrv.exe File created C:\Windows\system32\perfc009.dat WmiApSrv.exe File created C:\Windows\system32\perfh009.dat WmiApSrv.exe -
Drops file in Windows directory 3 IoCs
Processes:
WmiApSrv.exedescription ioc process File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h WmiApSrv.exe File created C:\Windows\inf\WmiApRpl\WmiApRpl.ini WmiApSrv.exe File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.ini WmiApSrv.exe -
Modifies service 2 TTPs 6 IoCs
Processes:
WmiApSrv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Help = "8679" WmiApSrv.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Object List = "8678 8684 8694 8704 8724 8768 8778 8816 8822 8838" WmiApSrv.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\PerfIniFile = "WmiApRpl.ini" WmiApSrv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Counter = "8844" WmiApSrv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\Last Help = "8845" WmiApSrv.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmiApRpl\Performance\First Counter = "8678" WmiApSrv.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE 1516 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1516 WINWORD.EXE 1516 WINWORD.EXE -
Valak JavaScript Loader 1 IoCs
Processes:
resource yara_rule C:\Users\Public\CCGYPWTwr.iySAE valak -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2996 1516 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 1516 wrote to memory of 2996 1516 WINWORD.EXE regsvr32.exe PID 1516 wrote to memory of 2996 1516 WINWORD.EXE regsvr32.exe PID 2996 wrote to memory of 3872 2996 regsvr32.exe regsvr32.exe PID 2996 wrote to memory of 3872 2996 regsvr32.exe regsvr32.exe PID 2996 wrote to memory of 3872 2996 regsvr32.exe regsvr32.exe PID 3872 wrote to memory of 3588 3872 regsvr32.exe wscript.exe PID 3872 wrote to memory of 3588 3872 regsvr32.exe wscript.exe PID 3872 wrote to memory of 3588 3872 regsvr32.exe wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3872 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\76497199.dat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\76497199.dat3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:3872 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE4⤵PID:3588
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies service
PID:1668
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1988
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:496