Overview

overview

8

Static

static

malware.docx

windows7_x64

8

malware.docx

windows10_x64

8

Resubmissions

14-02-2020 12:41

200214-c8mbcdxx2n 8

14-02-2020 08:55

200214-nwlkaf1l7j 8

14-02-2020 05:56

200214-v1sx1y43kx 8

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v191014
  • submitted
    14-02-2020 05:56

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware.docx

  • Size

    455KB

  • MD5

    ab284dccb09484ff6a3a116152edcb75

  • SHA1

    68bfb664e9712195e83d401b5775c475842cb72d

  • SHA256

    17f73a5cd04ca12f2a9b359d2871fc6bf198c4952dc715b57970eea0bd78471c

  • SHA512

    5f58a93d32bedfa5d2aaef8ab27ed7a6e264f529295bbc8daadf8b2b8d85732ccfee3ae8d3b7e22f8c9d61f49cd61a098e8415e85b79674e977b0c0cc5b4e5f2

Score
8/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware.docx" /o ""
    1⤵
    • Suspicious use of WriteProcessMemory
    • Checks processor information in registry
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4952
    • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
      "C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4648
    • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
      "C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4752
    • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
      "C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\salesforce_Report.exe
    Download Submit