Analysis
-
max time kernel
146s -
max time network
26s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
28-06-2020 07:04
Static task
static1
Behavioral task
behavioral1
Sample
adjure_06.26.2020.doc
Resource
win7v200430
General
-
Target
adjure_06.26.2020.doc
-
Size
117KB
-
MD5
7ecef428b39c93f449292c1344c2d26f
-
SHA1
32170dadf5481cdf794bb13e8c794df277c1f828
-
SHA256
c2222ea9ba5e0bceba9721084fb70b803f6a4cbf962e98b9a8ea3125f76a685f
-
SHA512
86bcadffcb89775307ba4f401f97dbec89e2eebc6f66b08b1b8cf9caa722951c7623a5007658c9bc08861a7191808ce649826111b9575d8c610240111c556967
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 740 288 regsvr32.exe WINWORD.EXE -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\whjkAbMaz.MVTXe valak C:\Users\Public\whjkAbMaz.MVTXe valak_js -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1076 regsvr32.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\whjkAbMaz.MVTXe js -
Office loads VBA resources, possible macro or embedded object present
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 288 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 288 wrote to memory of 740 288 WINWORD.EXE regsvr32.exe PID 288 wrote to memory of 740 288 WINWORD.EXE regsvr32.exe PID 288 wrote to memory of 740 288 WINWORD.EXE regsvr32.exe PID 288 wrote to memory of 740 288 WINWORD.EXE regsvr32.exe PID 288 wrote to memory of 740 288 WINWORD.EXE regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 740 wrote to memory of 1076 740 regsvr32.exe regsvr32.exe PID 1076 wrote to memory of 556 1076 regsvr32.exe wscript.exe PID 1076 wrote to memory of 556 1076 regsvr32.exe wscript.exe PID 1076 wrote to memory of 556 1076 regsvr32.exe wscript.exe PID 1076 wrote to memory of 556 1076 regsvr32.exe wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\adjure_06.26.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\64961.jpg2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\64961.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\whjkAbMaz.MVTXe4⤵PID:556
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1568
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fb602d3da0fa8a77faf30957de03618b
SHA10ffa7c8827709d3fa5cf9c029a149f20d9cf9eb3
SHA2563967320c32862614b2a44026c808567bbb6c290f86d753adde10e9723959769e
SHA512fcc36faa35ddc208407870a5b55d76883c7e6208fa28378456f9e914c65a9a861d58b5deaa7c8c0c1bfba9d6d296677171679b3f64c4a76c7de8e17b29ff30e7
-
MD5
8b7786e11dc53af09f1a3b47a44b2a0b
SHA1b4a138956beae46fdf319d7848da05f5a35503cb
SHA256a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA5126d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb
-
MD5
8b7786e11dc53af09f1a3b47a44b2a0b
SHA1b4a138956beae46fdf319d7848da05f5a35503cb
SHA256a643bd69ae55df6b45d107658dbb45ae7a715c130aace3d3190c21c0f3464321
SHA5126d3215bf398d92c0f9236527abaf7ca087c1559578e2e5082e55d8814c5e8b195e7f84acfc1a27bc4d4e6c3f51787cdce1bb0e2d78eeeb4d80391496ba01cdfb