Analysis
-
max time kernel
140s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 07:17
Static task
static1
Behavioral task
behavioral1
Sample
ordine_07.08.20.doc
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ordine_07.08.20.doc
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
ordine_07.08.20.doc
-
Size
147KB
-
MD5
fe0645535e48000792e5120eec45cf75
-
SHA1
ec407afabc52b5aa8a223da4b69acf5a26b1ad6a
-
SHA256
f1721df32789a9e1551010e0fc30caa050366f4c949c1f73fcf317e85e0ecb35
-
SHA512
78466f1255589cfa53c629365968bf89a925be26f3cbd924266e3fbb2a42d6bb5c601c6cee52d23322980fa621517f4c0e83394ebcf0780f7859d20127716c98
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE 1616 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1616 WINWORD.EXE 1616 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 564 1616 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1616 wrote to memory of 564 1616 WINWORD.EXE regsvr32.exe PID 1616 wrote to memory of 564 1616 WINWORD.EXE regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordine_07.08.20.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" ww.tmp2⤵
- Process spawned unexpected child process