Analysis
-
max time kernel
138s -
max time network
133s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 09:29
Static task
static1
Behavioral task
behavioral1
Sample
documenti_07.20.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
documenti_07.20.doc
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
documenti_07.20.doc
-
Size
147KB
-
MD5
3f4c57007a3d58bb89067c4a0864b2bd
-
SHA1
0b17e8eb16e77703d19a06cbcf835881de0ae48c
-
SHA256
b8f073052b8bf06d12ff4cf8182bf75c91248ef19f906ca6213e8cb4cd46ca00
-
SHA512
4abd436d78fbad2f981f66a475674d671cd59361665c571bf1b6a260658344197d019569bb37b6aabfaadfd42ef3a42ff24e2e8083680e153c78727e2005e90c
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3692 wrote to memory of 2080 3692 WINWORD.EXE regsvr32.exe PID 3692 wrote to memory of 2080 3692 WINWORD.EXE regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE 3692 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3692 WINWORD.EXE 3692 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2080 3692 regsvr32.exe WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documenti_07.20.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:3692 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" U.tmp2⤵
- Process spawned unexpected child process
PID:2080