bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a

Analysis

Target

bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a(1).doc
Size

132KB
MD5

098a437654cdb48161d6b5f32c6446ae
SHA1

dbcdb66974e7a4d9c47fec70e2e740efbd42fbf5
SHA256

bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a
SHA512

7bc4e33a665a74ee71ffed2ebdbbc54c80ba4a09343a0a0af3878b6b4f44aca1ad1e6ab08cdd70bcf9a74ccec9103f53b926b94a660bb035a3b24334ad76c81e

Score

10^/10

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1796	1456	regsvr32.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	regsvr32.exe
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	regsvr32.exe
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	regsvr32.exe
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	regsvr32.exe
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvr32.exe

pid process

1796 regsvr32.exe
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1456 WINWORD.EXE

pid	process
1796	regsvr32.exe

\??\c:\programdata\19165.jpg

Download Submit
memory/1456-0-0x0000000005C80000-0x0000000005CE5000-memory.dmp

Filesize
404KB

Download
memory/1796-4-0x0000000000000000-mapping.dmp

Download