API tools faq
paste
Advertisement
spamreports

Untitled

spamreports
Nov 24th, 2019
318
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.59 KB | None | 0 0
raw download clone embed print report
  1. 20191121 EF52627.doc
  2. ----------------------------------------------------------------------
  3. https://www.virustotal.com/gui/file/3ab3dc400f569d157a83eb0356db06d6b93e20de01915a9305fe33b9dbec95f9/detection
  4.  
  5. 3ab3dc400f569d157a83eb0356db06d6b93e20de01915a9305fe33b9dbec95f9
  6. file 20191121 EF52627.doc
  7. 216.08 KB
  8. Size
  9. 2019-11-21 04:52:15 UTC
  10. 3 days ago
  11. doc
  12. Detection
  13. Details
  14. Community
  15. Basic properties
  16. MD5 efe7836fca6a77974da723c8b4511e48
  17. SHA-1 ec87c9d8c10eb08734ff4222bcec13cd61b368e3
  18. SHA-256 3ab3dc400f569d157a83eb0356db06d6b93e20de01915a9305fe33b9dbec95f9
  19. SSDEEP 3072:EeBSfHH+UaqFh5zACnB7sgIKZvfI3U4uYxWEubHP:EeBSfHHNaqHnxI4fbvDrL
  20. File type MS Word Document
  21. File size 216.08 KB (221271 bytes)
  22. ----------------------------------------------------------------------
  23.  
  24. Detection rate 1/57
  25. Arcabit - HEUR.VBA.Struct.1
  26.  
  27. ----------------------------------------------------------------------
  28. Drops Office document
  29. WINWORD.EXE
  30. Reported IOC
  31. WINWORD.EXE
  32. C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm File opened for modification
  33. C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm File created
  34. C:\Users\Admin\AppData\Local\Temp\file 20191121 EF52627.doc File opened for modification
  35. Drops file in system dir
  36. BITS
  37. Reported IOC
  38. BITS
  39. C:\Windows\Debug\ESE.TXT File opened for modification
  40. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File opened for modification
  41. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp File created
  42. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File opened for modification
  43. C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp File created
  44. Suspicious use of WriteProcessMemory
  45. SppExtComObj.exe
  46. Reported IOC
  47. SppExtComObj.exe
  48. PID 3976 wrote to memory of 3948
  49. Checks system information in the registry (likely anti-VM)
  50. WINWORD.EXE
  51. DoSvc
  52. Matched TTPs
  53. Query Registry
  54. System Information Discovery
  55. Reported IOC
  56. WINWORD.EXE
  57. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried
  58. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried
  59. Reported IOC
  60. DoSvc
  61. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried
  62. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried
  63. Enumerates system info in registry
  64. WINWORD.EXE
  65. Matched TTPs
  66. Query Registry
  67. System Information Discovery
  68. Reported IOC
  69. WINWORD.EXE
  70. \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key opened
  71. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried
  72. \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key opened
  73. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried
  74. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key value queried
  75. Checks processor information in registry (likely anti-VM)
  76. WINWORD.EXE
  77. Matched TTPs
  78. Query Registry
  79. System Information Discovery
  80. Reported IOC
  81. WINWORD.EXE
  82. \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key opened
  83. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried
  84. Suspicious behavior: AddClipboardFormatListener
  85. WINWORD.EXE
  86. Suspicious use of SetWindowsHookEx
  87. WINWORD.EXE
  88. Windows security modification
  89.  
  90. wscsvc
  91. Matched TTPs
  92. Disabling Security Tools
  93. Modify Registry
  94. Reported IOC
  95. wscsvc
  96. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int)
  97. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" Set value (int)
  98. C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  99. "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file 20191121 EF52627.doc" /o ""
  100. PID: 4928
  101. SppExtComObj.exe
  102. C:\Windows\system32\SppExtComObj.exe -Embedding
  103. PID: 3976
  104. SLUI.exe
  105. "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
  106. PID: 3948
  107. svchost.exe
  108. c:\windows\system32\svchost.exe -k netsvcs -s BITS
  109. PID: 4616
  110. svchost.exe
  111. c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
  112. PID: 4696
  113. svchost.exe
  114. c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
  115. PID: 4240
  116. svchost.exe
  117. c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
  118. PID: 4064
  119. svchost.exe
  120. c:\windows\system32\svchost.exe -k unistacksvcgroup
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!