Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 07:23
Static task
static1
Behavioral task
behavioral1
Sample
certificato-07.08.20.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
certificato-07.08.20.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
certificato-07.08.20.doc
-
Size
134KB
-
MD5
0a1f37db056ff83c5161a2604fc0f978
-
SHA1
9ff7afd9002eafe4c409dfaadde932fb5400666f
-
SHA256
340997943546e3a333e84ca3764f721b48218557389534beebe4a2ab13b968d4
-
SHA512
a0c2d9aeb70660964d0bf8c01a25cf3f5c4d1012270663403ad54029b064000b5afdb989f2f3be2f00673f5384fcadd31716dc405dd7f3295523576ce0563217
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE 1124 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1484 1124 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1124 wrote to memory of 1484 1124 WINWORD.EXE regsvr32.exe PID 1124 wrote to memory of 1484 1124 WINWORD.EXE regsvr32.exe PID 1124 wrote to memory of 1484 1124 WINWORD.EXE regsvr32.exe PID 1124 wrote to memory of 1484 1124 WINWORD.EXE regsvr32.exe PID 1124 wrote to memory of 1484 1124 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1484 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificato-07.08.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\64974.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam