Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
02-07-2020 13:26
Static task
static1
Behavioral task
behavioral1
Sample
facts,06.20.doc
Resource
win7v200430
General
-
Target
facts,06.20.doc
-
Size
114KB
-
MD5
044be39caae5604b0de18f194a8de4dc
-
SHA1
557f786e4be64a1c8130ee14cd86e937040477f3
-
SHA256
1a76ae32471c077f6ba8525fdc8812cf8aa242cfc7bfac57d04c91d86e5bd378
-
SHA512
92f006efef8444454e4367e84681f43c15df30b4ab55aea7c98f761c0351b4090395dd1bcc7ed342674fe33d73bd6a12e0d7531a1cbdc790de075b5b67d5ccdf
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3084 3868 regsvr32.exe WINWORD.EXE -
Valak JavaScript Loader 2 IoCs
Processes:
resource yara_rule C:\Users\Public\MVexBafTc.Sszxu valak C:\Users\Public\MVexBafTc.Sszxu valak_js -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3756 regsvr32.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Public\MVexBafTc.Sszxu js -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3868 WINWORD.EXE 3868 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE 3868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEregsvr32.exeregsvr32.exedescription pid process target process PID 3868 wrote to memory of 3084 3868 WINWORD.EXE regsvr32.exe PID 3868 wrote to memory of 3084 3868 WINWORD.EXE regsvr32.exe PID 3084 wrote to memory of 3756 3084 regsvr32.exe regsvr32.exe PID 3084 wrote to memory of 3756 3084 regsvr32.exe regsvr32.exe PID 3084 wrote to memory of 3756 3084 regsvr32.exe regsvr32.exe PID 3756 wrote to memory of 2640 3756 regsvr32.exe wscript.exe PID 3756 wrote to memory of 2640 3756 regsvr32.exe wscript.exe PID 3756 wrote to memory of 2640 3756 regsvr32.exe wscript.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts,06.20.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\1.dat2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\regsvr32.exec:\programdata\1.dat3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\wscript.exewscript.exe //E:jscript "C:\Users\Public\MVexBafTc.Sszxu4⤵PID:2640
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fa1ad61db6981a6021ee910b16134c3b
SHA16be70926a8e12eb456ccdecd54ce3a9d8550361e
SHA25632061d3b3c2d869560c1ecc5d82b8bda978a66d45e881f0e490d88dfc0488320
SHA51260476da5dadb3dd96fe8d5b016e26347cce9b661902d41a5fcb9f24d66f8401bf34b53b18132888ece9735d26ed140230fbfc40e605c2e9ebf2397fb35d5ea23
-
MD5
0790e65e6925fc63a75856c0b4c0cd65
SHA1afd468cf7c2302fa07ac8691e03997b953836287
SHA256bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1
-
MD5
0790e65e6925fc63a75856c0b4c0cd65
SHA1afd468cf7c2302fa07ac8691e03997b953836287
SHA256bff33dc4020ac8eeb354eb4a20f241f0bef6e1f15c029ba33b2350d84e8de42a
SHA512d23c8b05e6c666e493751912662a85f84b42fa9beef0cb32fd4bd4a5c6343e0f0c86a9559b4fe39f407406c98cddbcf45b7509bf1c63782fa852167ba4b74ae1