Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
08-10-2020 15:18
Static task
static1
Behavioral task
behavioral1
Sample
siyah_.doc
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
siyah_.doc
-
Size
7.9MB
-
MD5
81f6232eec40898bd0ba0cc1601a82b3
-
SHA1
be0c271f83112b07d55582b89a113dc8b3d5097d
-
SHA256
64aeffe15aece5ae22e99d9fd55657788e71c1c52ceb08e3b16b8475b8655059
-
SHA512
2a14e7083132d0041963faec181912ef3f441a2ef2b77c2c70eb2b6be3c676a92321253cf254fc502f86373aaf4b8499e04c02380a28e7fcd1dfda7cdea991ad
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3144 496 cmd.exe 65 -
Executes dropped EXE 3 IoCs
pid Process 4032 python.exe 632 python.exe 1868 python.exe -
resource yara_rule behavioral2/files/0x000500000001a676-7.dat office_xlm_macros -
Loads dropped DLL 38 IoCs
pid Process 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 4032 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 632 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe 1868 python.exe -
JavaScript code in executable 9 IoCs
resource yara_rule behavioral2/files/0x000600000001a676-11.dat js behavioral2/files/0x000600000001a676-14.dat js behavioral2/files/0x000100000001ad69-33.dat js behavioral2/files/0x000100000001ad69-36.dat js behavioral2/files/0x000100000001ad69-37.dat js behavioral2/files/0x000600000001a676-48.dat js behavioral2/files/0x000100000001ad69-62.dat js behavioral2/files/0x000600000001a676-72.dat js behavioral2/files/0x000100000001ad69-80.dat js -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: 35 4032 python.exe Token: 35 632 python.exe Token: 35 1868 python.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE 496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 496 wrote to memory of 3144 496 WINWORD.EXE 73 PID 496 wrote to memory of 3144 496 WINWORD.EXE 73 PID 496 wrote to memory of 4032 496 WINWORD.EXE 76 PID 496 wrote to memory of 4032 496 WINWORD.EXE 76 PID 496 wrote to memory of 4032 496 WINWORD.EXE 76 PID 4032 wrote to memory of 3844 4032 python.exe 79 PID 4032 wrote to memory of 3844 4032 python.exe 79 PID 4032 wrote to memory of 3844 4032 python.exe 79 PID 3844 wrote to memory of 632 3844 cmd.exe 80 PID 3844 wrote to memory of 632 3844 cmd.exe 80 PID 3844 wrote to memory of 632 3844 cmd.exe 80 PID 4032 wrote to memory of 1136 4032 python.exe 84 PID 4032 wrote to memory of 1136 4032 python.exe 84 PID 4032 wrote to memory of 1136 4032 python.exe 84 PID 1136 wrote to memory of 1868 1136 cmd.exe 85 PID 1136 wrote to memory of 1868 1136 cmd.exe 85 PID 1136 wrote to memory of 1868 1136 cmd.exe 85
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\siyah_.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SYSTEM32\cmd.execmd /c copy C:\Users\Admin\AppData\Local\Temp\siyah_.doc C:\Users\Public\argument.doc2⤵
- Process spawned unexpected child process
PID:3144
-
-
C:\Users\Public\Milan37\python.exeC:\Users\Public\Milan37\python.exe "C:\Users\Public\\Milan37\starter.py"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Milan37\python.exe" "C:\Users\Public\Milan37\milan.py""3⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Public\Milan37\python.exe"C:\Users\Public\Milan37\python.exe" "C:\Users\Public\Milan37\milan.py"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Milan37\python.exe" "C:\Users\Public\Milan37\fmilan.py""3⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Public\Milan37\python.exe"C:\Users\Public\Milan37\python.exe" "C:\Users\Public\Milan37\fmilan.py"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
-