Analysis
-
max time kernel
140s -
max time network
136s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
02-07-2020 13:26
Static task
static1
Behavioral task
behavioral1
Sample
facts,06.20.doc
Resource
win7v200430
General
-
Target
facts,06.20.doc
-
Size
114KB
-
MD5
044be39caae5604b0de18f194a8de4dc
-
SHA1
557f786e4be64a1c8130ee14cd86e937040477f3
-
SHA256
1a76ae32471c077f6ba8525fdc8812cf8aa242cfc7bfac57d04c91d86e5bd378
-
SHA512
92f006efef8444454e4367e84681f43c15df30b4ab55aea7c98f761c0351b4090395dd1bcc7ed342674fe33d73bd6a12e0d7531a1cbdc790de075b5b67d5ccdf
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1832 892 regsvr32.exe WINWORD.EXE -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\MVexBafTc.Sszxu valak C:\Users\Public\MVexBafTc.Sszxu valak_js -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1836 regsvr32.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\MVexBafTc.Sszxu js -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 892 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 892 wrote to memory of 1832 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1832 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1832 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1832 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1832 892 WINWORD.EXE regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1832 wrote to memory of 1836 1832 regsvr32.exe regsvr32.exe PID 1836 wrote to memory of 1896 1836 regsvr32.exe wscript.exe PID 1836 wrote to memory of 1896 1836 regsvr32.exe wscript.exe PID 1836 wrote to memory of 1896 1836 regsvr32.exe wscript.exe PID 1836 wrote to memory of 1896 1836 regsvr32.exe wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\1.dat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\1.dat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\MVexBafTc.Sszxu4⤵PID:1896
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:316
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa1ad61db6981a6021ee910b16134c3b
SHA16be70926a8e12eb456ccdecd54ce3a9d8550361e
SHA25632061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320
SHA51260476da5dadb3dd96fe8d5b016e26347cce9b661902d41a5fcb9f24d66f8401bf34b53b18132888ece9735d26ed140230fbfc40e605c2e9ebf2397fb35d5ea23
-
MD5
0790e65e6925fc63a75856c0b4c0cd65
SHA1afd468cf7c2302fa07ac8691e03997b953836287
SHA256bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1
-
MD5
0790e65e6925fc63a75856c0b4c0cd65
SHA1afd468cf7c2302fa07ac8691e03997b953836287
SHA256bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1