Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 07:17
Static task
static1
Behavioral task
behavioral1
Sample
file 07.08.2020.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file 07.08.2020.doc
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
file 07.08.2020.doc
-
Size
147KB
-
MD5
f87de9e54541c53de616b230852e0d28
-
SHA1
9cf0153c3a04a30c138ab649b8a8cb1286c8fd8a
-
SHA256
f9b682245ad0fe442e1bbe331f67b8c6a6241aac9fb2aa727b020a4f0a897ce2
-
SHA512
5652193e9c969fb3150a8e8c2291f8b964f83ef1e3868df579666273b3abb7f56264993ee259a59e866d38f663f158dc9bd1fc046b377abf8bd8b5fe098e99b5
Score
10/10
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE 2040 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE 2040 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3332 2040 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2040 wrote to memory of 3332 2040 WINWORD.EXE regsvr32.exe PID 2040 wrote to memory of 3332 2040 WINWORD.EXE regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file 07.08.2020.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" ww.tmp2⤵
- Process spawned unexpected child process