Analysis
-
max time kernel
106s -
max time network
62s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 07:25
Static task
static1
Behavioral task
behavioral1
Sample
richiedere.07.20.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
richiedere.07.20.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
richiedere.07.20.doc
-
Size
134KB
-
MD5
2a3becf45cb2beab4516efe3e2ab2c74
-
SHA1
034531bbf31899b2c44a2887a64b013396cd8e0d
-
SHA256
c4b476186a7d27189e16f2c25a20d47c84da5e08fe7994014cbbad879c53dbfd
-
SHA512
02a843000356e760523fee53320ac93c545d39cd34e9791acbf0759e6d55ec511d4c3d299f4a6b5770b47ba737b691cc5af5b496ed05c517b047c2cf668c5546
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1588 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE 1588 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1748 1588 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1588 wrote to memory of 1748 1588 WINWORD.EXE regsvr32.exe PID 1588 wrote to memory of 1748 1588 WINWORD.EXE regsvr32.exe PID 1588 wrote to memory of 1748 1588 WINWORD.EXE regsvr32.exe PID 1588 wrote to memory of 1748 1588 WINWORD.EXE regsvr32.exe PID 1588 wrote to memory of 1748 1588 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1748 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\richiedere.07.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\64632.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam