Analysis
-
max time kernel
69s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04/03/2021, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0304_56958375050481.doc
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0304_56958375050481.doc
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
0304_56958375050481.doc
-
Size
743KB
-
MD5
7ba91fe733a2b27af2c602525151305d
-
SHA1
0c4f2f591db5e0bd0ce580649582f818a9da5179
-
SHA256
e9e50934dd76164022730125fc00cbe2467afd6e234d2c4873273d4bc6acafe8
-
SHA512
9d524efdcb0744e3a8b3bf13b234d8e9f595354ad3d143177e2da3ad9248122d403d596e38fa5055150eecc5866257c2f90bf6fdb9309acd5c67321b480ca4aa
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1624 1784 rundll32.exe 24 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1784 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE 1784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1784 wrote to memory of 1496 1784 WINWORD.EXE 29 PID 1784 wrote to memory of 1496 1784 WINWORD.EXE 29 PID 1784 wrote to memory of 1496 1784 WINWORD.EXE 29 PID 1784 wrote to memory of 1496 1784 WINWORD.EXE 29 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30 PID 1784 wrote to memory of 1624 1784 WINWORD.EXE 30
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0304_56958375050481.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1496
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\users\admin\appdata\local\temp\Static.dll,MUSWRRVXHJV2⤵
- Process spawned unexpected child process
PID:1624
-