Analysis
-
max time kernel
300s -
max time network
292s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
08-10-2020 15:18
Static task
static1
Behavioral task
behavioral1
Sample
3aadbf7e527fc1a050e1c97fea1cba4d.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
3aadbf7e527fc1a050e1c97fea1cba4d.doc
-
Size
7.9MB
-
MD5
3aadbf7e527fc1a050e1c97fea1cba4d
-
SHA1
2cf055b3ef60582ca72e77bc4693ea306360f611
-
SHA256
208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407
-
SHA512
642fadbcb8c94858a770de4e6e419bcc6c223e92fe3294f0b56519bdd4b74cdc9918ebac83a91627de5bef4cfd42a1abde79c4bf9e2801f582e18c9fd5000976
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1460 2884 cmd.exe 65 -
Executes dropped EXE 3 IoCs
pid Process 3100 python.exe 2572 python.exe 2132 python.exe -
resource yara_rule behavioral2/files/0x000100000001ad66-8.dat office_xlm_macros -
Loads dropped DLL 33 IoCs
pid Process 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 3100 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2572 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe 2132 python.exe -
JavaScript code in executable 9 IoCs
resource yara_rule behavioral2/files/0x000100000001ad7e-12.dat js behavioral2/files/0x000100000001ad7e-15.dat js behavioral2/files/0x000100000001ad7f-33.dat js behavioral2/files/0x000100000001ad7f-36.dat js behavioral2/files/0x000100000001ad7f-37.dat js behavioral2/files/0x000100000001ad7e-46.dat js behavioral2/files/0x000100000001ad7f-58.dat js behavioral2/files/0x000100000001ad7e-64.dat js behavioral2/files/0x000100000001ad7f-71.dat js -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2884 WINWORD.EXE 2884 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 35 3100 python.exe Token: 35 2572 python.exe Token: 35 2132 python.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2884 wrote to memory of 1460 2884 WINWORD.EXE 75 PID 2884 wrote to memory of 1460 2884 WINWORD.EXE 75 PID 2884 wrote to memory of 3100 2884 WINWORD.EXE 79 PID 2884 wrote to memory of 3100 2884 WINWORD.EXE 79 PID 2884 wrote to memory of 3100 2884 WINWORD.EXE 79 PID 3100 wrote to memory of 3680 3100 python.exe 83 PID 3100 wrote to memory of 3680 3100 python.exe 83 PID 3100 wrote to memory of 3680 3100 python.exe 83 PID 3680 wrote to memory of 2572 3680 cmd.exe 84 PID 3680 wrote to memory of 2572 3680 cmd.exe 84 PID 3680 wrote to memory of 2572 3680 cmd.exe 84 PID 3100 wrote to memory of 8 3100 python.exe 85 PID 3100 wrote to memory of 8 3100 python.exe 85 PID 3100 wrote to memory of 8 3100 python.exe 85 PID 8 wrote to memory of 2132 8 cmd.exe 86 PID 8 wrote to memory of 2132 8 cmd.exe 86 PID 8 wrote to memory of 2132 8 cmd.exe 86
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3aadbf7e527fc1a050e1c97fea1cba4d.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SYSTEM32\cmd.execmd /c copy C:\Users\Admin\AppData\Local\Temp\3aadbf7e527fc1a050e1c97fea1cba4d.doc C:\Users\Public\docer.doc2⤵
- Process spawned unexpected child process
PID:1460
-
-
C:\Users\Public\Python37\python.exeC:\Users\Public\Python37\python.exe "C:\Users\Public\\Python37\launcher.py"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\smile.py""3⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Public\Python37\python.exe"C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\smile.py"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\frown.py""3⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Public\Python37\python.exe"C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\frown.py"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-