Analysis

  • max time kernel
    539s
  • max time network
    359s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    09-06-2020 22:33

General

  • Target

    bid 06.09.2020.doc

  • Size

    117KB

  • MD5

    604ffddf9b128893501e078cf20614b4

  • SHA1

    00ab48b309631ea1420542e84792619fef594b0f

  • SHA256

    ecd83bffe02f85d61cebfd27c78e305e427ff5ad30c3cf6c03db5b59a5dc7997

  • SHA512

    f5437529f735bbbbdc36891d49375eaaa2fe03b48b802dbc6826ede3e55ea337e7a61dc09249fb92c5da32717b58fc242ee80433bc473e8ddd49ad65c00512fb

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies service 2 TTPs 6 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Valak JavaScript Loader 1 IoCs
  • Valak

    Valak is a JavaScript loader, a link in a chain of distribution of other malware families.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 8 IoCs
  • Loads dropped DLL 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid 06.09.2020.doc" /o ""
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 c:\programdata\76497199.dat
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\regsvr32.exe
        c:\programdata\76497199.dat
        3⤵
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:3872
        • C:\Windows\SysWOW64\wscript.exe
          wscript.exe //E:jscript "C:\Users\Public\CCGYPWTwr.iySAE
          4⤵
            PID:3588
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies service
      PID:1668
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1988
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:496

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads