Analysis
-
max time kernel
117s -
max time network
154s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
03-04-2020 02:47
Static task
static1
Behavioral task
behavioral1
Sample
3f6bcebf86443d834e6e8cac82c0bc2df9ef4321b0ff9d8fe1947a9c96916947.doc
Resource
win7v200217
Behavioral task
behavioral2
Sample
3f6bcebf86443d834e6e8cac82c0bc2df9ef4321b0ff9d8fe1947a9c96916947.doc
Resource
win10v200217
General
-
Target
3f6bcebf86443d834e6e8cac82c0bc2df9ef4321b0ff9d8fe1947a9c96916947.doc
-
Size
437KB
-
MD5
c2dbe8de78ec536def222cd8de84686d
-
SHA1
ed72419e4f56022a1cc764e37957fb9a91ffbf77
-
SHA256
3f6bcebf86443d834e6e8cac82c0bc2df9ef4321b0ff9d8fe1947a9c96916947
-
SHA512
2b088f58a03af7e0b07a76ac728dbad5b91ad41990e6033fbb42b74eb1506e80dfb34a7d44dcd3ee0c638a60d208a4b7340c2d205e23b98ac94a5076ed33fb74
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4040 WINWORD.EXE 4040 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3f6bcebf86443d834e6e8cac82c0bc2df9ef4321b0ff9d8fe1947a9c96916947.doc" /o ""1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry