Analysis
-
max time kernel
127s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-07-2020 07:24
Static task
static1
Behavioral task
behavioral1
Sample
raccontare.07.08.2020.doc
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
raccontare.07.08.2020.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
raccontare.07.08.2020.doc
-
Size
134KB
-
MD5
bcc82032ede3c935fd6e7c1deb1ad072
-
SHA1
33e69f3c2a77b369421bbd315f5ed2d2e94160a2
-
SHA256
2b276d5638fef9e9774853b42fe3626c15a13653423c2da87638f725b687696b
-
SHA512
aa491163724907095ca85bced842f203e70c843f0d1eeb1b10bfd8f81684169297ee92f07de2451f03f1463075ca51795446fcc5faacdc0dd67971edbbc0cb52
Score
10/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 376 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE 376 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1116 376 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 376 wrote to memory of 1116 376 WINWORD.EXE regsvr32.exe PID 376 wrote to memory of 1116 376 WINWORD.EXE regsvr32.exe PID 376 wrote to memory of 1116 376 WINWORD.EXE regsvr32.exe PID 376 wrote to memory of 1116 376 WINWORD.EXE regsvr32.exe PID 376 wrote to memory of 1116 376 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1116 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\raccontare.07.08.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\64632.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam