Analysis
-
max time kernel
146s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-07-2020 07:18
Static task
static1
Behavioral task
behavioral1
Sample
documento ufficiale,07.20.doc
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
documento ufficiale,07.20.doc
Resource
win10
0 signatures
0 seconds
General
-
Target
documento ufficiale,07.20.doc
-
Size
147KB
-
MD5
29d55324310c106a92fd0e1b422b39de
-
SHA1
d87feba63dab58c4754c205b1c3cda9169d9a274
-
SHA256
604d7046297dcbf29e1e3a53ecf27136c4e39b2e36fe2314559f380b564ff7b4
-
SHA512
5b478c89aebec5d85723e9b6e84115514e0e8c60a589b7426169ca147dbc97d4357ef9283ee42d33a7fcde215350ea951f2e2d4ecc228f8d85926937c48f3ac6
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1052 1356 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1356 wrote to memory of 1052 1356 WINWORD.EXE regsvr32.exe PID 1356 wrote to memory of 1052 1356 WINWORD.EXE regsvr32.exe PID 1356 wrote to memory of 1052 1356 WINWORD.EXE regsvr32.exe PID 1356 wrote to memory of 1052 1356 WINWORD.EXE regsvr32.exe PID 1356 wrote to memory of 1052 1356 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1052 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1356 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documento ufficiale,07.20.doc"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" wG.tmp2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-3-0x0000000000000000-mapping.dmp