Analysis
-
max time kernel
67s -
max time network
43s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:23
Static task
static1
Behavioral task
behavioral1
Sample
SP0728.rtf
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SP0728.rtf
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SP0728.rtf
-
Size
1.6MB
-
MD5
e5b15619b70d6e96af783327dc79eda7
-
SHA1
a30a260cb9c9d3193dc71d580d09656dd5c0f4e1
-
SHA256
7609034e7473869b3a5767f9543b6067998f4db68e3ba26966c115535337337f
-
SHA512
f560fa4d1e3c0d9a1075b82972226682971d942c6db824772cfcd29c1c3baf4aac7e2cbea9f479c1aecf00162a6b01f98ab6aecbcd58deaffa26f9bcc68b954a
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1548 EQNEDT32.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SP0728.rtf"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Loads dropped DLL
- Launches Equation Editor