Analysis
-
max time kernel
106s -
max time network
65s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 07:22
Static task
static1
Behavioral task
behavioral1
Sample
accordo legale.07.20.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
accordo legale.07.20.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
accordo legale.07.20.doc
-
Size
134KB
-
MD5
8f2f3030cd7cddcd5ec80f4585a1714b
-
SHA1
d632b2efa2723e480b3a952a1d5a9bcb46c00248
-
SHA256
1c822d787c03d5fdefa8efa54a8af4ae8622223b2b01c2a6cbf040f4a218a2ce
-
SHA512
8880c7265e7f7e636d6c861fe288f3040882ca4bcc1e4b5c59e0a89e02f4a348a9930c5da21a16e5d6065c86eca6e4fd0eb6fb3678df3a42b5379c6cc1881c0e
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE 892 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1528 892 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 892 wrote to memory of 1528 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1528 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1528 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1528 892 WINWORD.EXE regsvr32.exe PID 892 wrote to memory of 1528 892 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1528 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 892 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\accordo legale.07.20.doc"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\15841.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam