Analysis
-
max time kernel
134s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 06:53
Static task
static1
Behavioral task
behavioral1
Sample
308P.rtf
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
308P.rtf
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
308P.rtf
-
Size
1.4MB
-
MD5
2ef8dbe494ce10bbf5a1a85f55bb1030
-
SHA1
c72178d6343f8806e41d49c61e07fb7e4ae80dfb
-
SHA256
1e2f23f0bcac6ae9e9fb7febe74b2a4bb0ccf9a08bee3b95254a6b2e4973eb91
-
SHA512
bba145a5c3042b3cff3ebc617f0083e4ec62f343583f4dccacde774535c5aaf4788238a2bae1859646b50fe6a81ccaa41ef031b1c9812b1b3de0a606df728628
Score
1/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE 2896 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2896 WINWORD.EXE 2896 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 2 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\jbet:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\vetu.dll:Zone.Identifier WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\308P.rtf" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
PID:2896