Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
26-06-2020 17:27
Static task
static1
Behavioral task
behavioral1
Sample
adjure_06.26.2020.doc
Resource
win7
General
-
Target
adjure_06.26.2020.doc
-
Size
117KB
-
MD5
7ecef428b39c93f449292c1344c2d26f
-
SHA1
32170dadf5481cdf794bb13e8c794df277c1f828
-
SHA256
c2222ea9ba5e0bceba9721084fb70b803f6a4cbf962e98b9a8ea3125f76a685f
-
SHA512
86bcadffcb89775307ba4f401f97dbec89e2eebc6f66b08b1b8cf9caa722951c7623a5007658c9bc08861a7191808ce649826111b9575d8c610240111c556967
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2192 3768 regsvr32.exe WINWORD.EXE -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\whjkAbMaz.MVTXe valak C:\Users\Public\whjkAbMaz.MVTXe valak_js -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2216 regsvr32.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\whjkAbMaz.MVTXe js -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3768 WINWORD.EXE 3768 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE 3768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 3768 wrote to memory of 2192 3768 WINWORD.EXE regsvr32.exe PID 3768 wrote to memory of 2192 3768 WINWORD.EXE regsvr32.exe PID 2192 wrote to memory of 2216 2192 regsvr32.exe regsvr32.exe PID 2192 wrote to memory of 2216 2192 regsvr32.exe regsvr32.exe PID 2192 wrote to memory of 2216 2192 regsvr32.exe regsvr32.exe PID 2216 wrote to memory of 3920 2216 regsvr32.exe wscript.exe PID 2216 wrote to memory of 3920 2216 regsvr32.exe wscript.exe PID 2216 wrote to memory of 3920 2216 regsvr32.exe wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\64961.jpg2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\64961.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\whjkAbMaz.MVTXe4⤵PID:3920
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb602d3da0fa8a77faf30957de03618b
SHA10ffa7c8827709d3fa5cf9c029a149f20d9cf9eb3
SHA2563967320c32862614b2a44026c808567bbb6c290f86d753adde10e9723959769e
SHA512fcc36faa35ddc208407870a5b55d76883c7e6208fa28378456f9e914c65a9a861d58b5deaa7c8c0c1bfba9d6d296677171679b3f64c4a76c7de8e17b29ff30e7
-
MD5
8b7786e11dc53af09f1a3b47a44b2a0b
SHA1b4a138956beae46fdf319d7848da05f5a35503cb
SHA256a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA5126d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb
-
MD5
8b7786e11dc53af09f1a3b47a44b2a0b
SHA1b4a138956beae46fdf319d7848da05f5a35503cb
SHA256a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA5126d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb