17f73a5cd04ca12f2a9b359d2871fc6bf198c4952dc715b57970eea0bd78471c

Resubmissions

14-02-2020 12:41

200214-c8mbcdxx2n 8

14-02-2020 08:55

200214-nwlkaf1l7j 8

14-02-2020 05:56

200214-v1sx1y43kx 8

Analysis

max time kernel
142s
max time network
115s
platform
windows7_x64
resource
win7v200213
submitted
14-02-2020 05:56

Sharing

Copy URL

Twitter E-mail

General

Target

malware.docx
Size

455KB
MD5

ab284dccb09484ff6a3a116152edcb75
SHA1

68bfb664e9712195e83d401b5775c475842cb72d
SHA256

17f73a5cd04ca12f2a9b359d2871fc6bf198c4952dc715b57970eea0bd78471c
SHA512

5f58a93d32bedfa5d2aaef8ab27ed7a6e264f529295bbc8daadf8b2b8d85732ccfee3ae8d3b7e22f8c9d61f49cd61a098e8415e85b79674e977b0c0cc5b4e5f2

Score

8^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

salesforce_Report.exe

pid process

1016 salesforce_Report.exe
1016 salesforce_Report.exe
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE
1016 salesforce_Report.exe
1584 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid	process
1016	salesforce_Report.exe
1016	salesforce_Report.exe

pid	process
1992	WINWORD.EXE

pid	process
1992	WINWORD.EXE
1992	WINWORD.EXE
1016	salesforce_Report.exe
1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WINWORD.EXEsalesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

description	pid	process	target process
PID 1992 wrote to memory of 1016	1992	WINWORD.EXE	salesforce_Report.exe
PID 1992 wrote to memory of 1016	1992	WINWORD.EXE	salesforce_Report.exe
PID 1992 wrote to memory of 1016	1992	WINWORD.EXE	salesforce_Report.exe
PID 1992 wrote to memory of 1016	1992	WINWORD.EXE	salesforce_Report.exe
PID 1016 wrote to memory of 1584	1016	salesforce_Report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 1016 wrote to memory of 1584	1016	salesforce_Report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 1016 wrote to memory of 1584	1016	salesforce_Report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 1016 wrote to memory of 1584	1016	salesforce_Report.exe	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe
PID 1584 wrote to memory of 1784	1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

salesforce_Report.exe커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid process

1016 salesforce_Report.exe
1584 커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

pid	process
1016	salesforce_Report.exe
1584	커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware.docx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
"C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1016

C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe
"C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
C:\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe

Download Submit
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
\ProgramData\커пе피&هوةпиթեյо;;ուրճг;;зedコーчВыーр咖啡.exe

Download Submit
memory/1016-2-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/1584-7-0x0000000000650000-0x0000000000684000-memory.dmp

Filesize
208KB

Download
memory/1584-9-0x0000000000B90000-0x0000000000BC1000-memory.dmp

Filesize
196KB

Download
memory/1992-0-0x0000000005AB0000-0x0000000005AB4000-memory.dmp

Filesize
16KB

Download