Analysis
-
max time kernel
71s -
max time network
21s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03/03/2021, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
0303_7987150656181.doc
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0303_7987150656181.doc
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
0303_7987150656181.doc
-
Size
775KB
-
MD5
a6a62c994891464d42307d946f7c770e
-
SHA1
99d5b3df9e3cc14b7aa46f8da393443f51da743e
-
SHA256
1cdb6e242c5166d15c994c0472d1d14548ce660e6c1f30c156a944b690b5946c
-
SHA512
795c408f08797374ebfa692bfb56fd9eb373bc690487c79cf663a6e005713ecabe386ed730fc93b4542a1eaf508bb88023965958431d1b8bfafec90962e346d2
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1932 1752 rundll32.exe 24 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1752 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE 1752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1408 1752 WINWORD.EXE 26 PID 1752 wrote to memory of 1408 1752 WINWORD.EXE 26 PID 1752 wrote to memory of 1408 1752 WINWORD.EXE 26 PID 1752 wrote to memory of 1408 1752 WINWORD.EXE 26 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27 PID 1752 wrote to memory of 1932 1752 WINWORD.EXE 27
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0303_7987150656181.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1408
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,WIOYJIOLYGA2⤵
- Process spawned unexpected child process
PID:1932
-