Analysis
-
max time kernel
106s -
max time network
65s -
platform
windows7_x64 -
resource
win7 -
submitted
11-07-2020 07:25
Static task
static1
Behavioral task
behavioral1
Sample
documenti,07.20.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
documenti,07.20.doc
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
documenti,07.20.doc
-
Size
132KB
-
MD5
73a93d4e240df1801c2d031108bdee2c
-
SHA1
4d8348892e63505e2a65bd5b484626860584df6a
-
SHA256
42ccd85c910961fa939059b6903462d1d1da80ab275b93de655ca248fdb1880b
-
SHA512
4fed5a027bccb97f2a2d2d965adbb62a19653fcc52f41e07b208e18272f6303453dc6885c260c3db551d047038f5cfe8295ea4061b359f2e8157cabf5b93e545
Score
10/10
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1108 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE 1108 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1512 1108 regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1108 wrote to memory of 1512 1108 WINWORD.EXE regsvr32.exe PID 1108 wrote to memory of 1512 1108 WINWORD.EXE regsvr32.exe PID 1108 wrote to memory of 1512 1108 WINWORD.EXE regsvr32.exe PID 1108 wrote to memory of 1512 1108 WINWORD.EXE regsvr32.exe PID 1108 wrote to memory of 1512 1108 WINWORD.EXE regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regsvr32.exepid process 1512 regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documenti,07.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\regsvr32.exeregsvr32 c:\programdata\35734.jpg2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam
PID:1512