Overview

overview

10

Static

static

commerce .07.20.doc

windows7_x64

10

commerce .07.20.doc

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    15/07/2020, 08:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    commerce .07.20.doc

  • Size

    113KB

  • MD5

    0a06de4d1e1a09df9ef0936abaa91155

  • SHA1

    3fbd6f8b88606a56c038afd8aae4f83b3230b960

  • SHA256

    b2303e5ce1a67a85d66031163421fdb221a021fda89d21a1dba1b448acfae8eb

  • SHA512

    2400fa4ad0cb5f4b291a15f19ed6b53ba9d53044bf6efdef17e46b5e0830386922f6483b9ee13d340ca38faed3d87229d1a3212ce36f6337f4c1e1d4dd1fefb0

Score
10/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 5 IoCs
  • Loads dropped DLL 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce .07.20.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SYSTEM32\regsvr32.exe
      regsvr32 E5.tmp
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3892
      • C:\Windows\SysWOW64\regsvr32.exe
        E5.tmp
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Loads dropped DLL
        PID:1712

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3840-0-0x000001FAAEAA0000-0x000001FAAEAA4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3840-6-0x000001FAB0010000-0x000001FAB0021000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3840-7-0x000001FAB01AE000-0x000001FAB0219000-memory.dmp

          Filesize

          428KB

          Download

        • memory/3840-8-0x000001FAB01AE000-0x000001FAB0219000-memory.dmp

          Filesize

          428KB

          Download