Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 15:06
Static task
static1
Behavioral task
behavioral1
Sample
ioyyf_com_ursnif.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ioyyf_com_ursnif.doc
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
ioyyf_com_ursnif.doc
-
Size
147KB
-
MD5
5565bd451356b4002215d2b842b13954
-
SHA1
162b25a6c67f15e4a0907bffc87bdffdb7c57b4c
-
SHA256
0bf4952eb4a7081a910bf9d122b6ff8fcffccd5d39578e57c98b5b3a16f81816
-
SHA512
9aaf88786ca24828d7f9431d72e4a51ff846163a32f1cae78746a4b60daccf183a2b5272d26c3c6e65bd5366c264bd7c7718861f7f5e8257e864b67d569b8975
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE 640 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 640 WINWORD.EXE 640 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3088 640 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 640 wrote to memory of 3088 640 WINWORD.EXE regsvr32.exe PID 640 wrote to memory of 3088 640 WINWORD.EXE regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ioyyf_com_ursnif.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
PID:640 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" Nv.tmp2⤵
- Process spawned unexpected child process
PID:3088