4c5c43f4932ac497c716bb5ec30a7636e5056775a4d5f3f48b9e5c1414b9f7b3

Analysis

max time kernel
138s
max time network
133s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248P.rtf
Size

1.7MB
MD5

5ad591a0c8b8689a5337acf675d8119f
SHA1

8218cbe07fbb35bec9b469cdd6c4e00ccde28a77
SHA256

4c5c43f4932ac497c716bb5ec30a7636e5056775a4d5f3f48b9e5c1414b9f7b3
SHA512

91b98cd6c773a6928f91eae59962b246717c66a0d8f1c618e763ee97e2ea99e3875086466720f74b343957f4a5af84f720ca3d3fc15f659a0d05f351b85ed382

Score

1^/10

Malware Config

Signatures

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\vetu.dll:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\jbet:Zone.Identifier	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE
3844	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3844	WINWORD.EXE
3844	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\248P.rtf" /o ""
1⤵
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
PID:3844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads