Analysis
-
max time kernel
135s -
max time network
131s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 13:23
Static task
static1
Behavioral task
behavioral1
Sample
SP0728.rtf
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SP0728.rtf
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
SP0728.rtf
-
Size
1.6MB
-
MD5
e5b15619b70d6e96af783327dc79eda7
-
SHA1
a30a260cb9c9d3193dc71d580d09656dd5c0f4e1
-
SHA256
7609034e7473869b3a5767f9543b6067998f4db68e3ba26966c115535337337f
-
SHA512
f560fa4d1e3c0d9a1075b82972226682971d942c6db824772cfcd29c1c3baf4aac7e2cbea9f479c1aecf00162a6b01f98ab6aecbcd58deaffa26f9bcc68b954a
Score
1/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3068 WINWORD.EXE 3068 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 2 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\muka.dll:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\scmv:Zone.Identifier WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SP0728.rtf" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS