480b1ea3a8398cd33681e93114729de81533bdf82e8c02fd4580a0ae2b06681c | Triage

Analysis

max time kernel
114s
max time network
104s
platform
windows7_x64
resource
win7v200213
submitted
14-02-2020 10:30

Sharing

General

Target

malware.malware.doc
Size

706KB
MD5

630980a8bb7a5212dcc1d16fc1fd5e71
SHA1

2f19214d0ac4534be9f33824aad3260a3bfd58f0
SHA256

480b1ea3a8398cd33681e93114729de81533bdf82e8c02fd4580a0ae2b06681c
SHA512

bcdeadcdbf395f9b4695cc663d1a3f1361ed8a20b8e2786141e090f5f9856645b54cfa76a53ed283c7b443d083c0b7e513e4f94a550b21a915099a327adc4f83

Score

4^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1992 WINWORD.EXE
1992 WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

Modifies registry class 18 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\FLAGS\ = "4"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\0	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\ = "ITSRemoteProgram2"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}\ = "IMsRdpClientTransportSettings3"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}\ = "ITSRemoteProgram2"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\ = "Microsoft Terminal Services Control Type Library"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}\ = "IMsRdpClientTransportSettings3"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92C38A7D-241A-418C-9936-099872C9AF20}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSTSCLib.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{158A9B1C-3212-49BB-939E-685F99E56F26}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D5B21AC-748D-41DE-8F30-E15169586BD4}	WINWORD.EXE

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\malware.malware.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download