dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95

Resubmissions

14-01-2021 11:54

210114-7xa6tfh59x 10

14-01-2021 11:48

210114-q634htvf9a 10

14-01-2021 01:32

210114-d1g1zn1d22 8

Analysis

max time kernel
140s
max time network
133s
platform
windows10_x64
resource
win10v20201028
submitted
14-01-2021 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample1.bin.doc
Size

830KB
MD5

7dbd8ecfada1d39a81a58c9468b91039
SHA1

0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256

dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
SHA512

a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

640 WINWORD.EXE
640 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE
640 WINWORD.EXE

pid	process
640	WINWORD.EXE
640	WINWORD.EXE

pid	process
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample1.bin.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-2-0x00007FFC2FEB0000-0x00007FFC304E7000-memory.dmp

Filesize
6.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads