Analysis
-
max time kernel
136s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 07:18
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Inquiry No TBD-6-5659.doc.rtf
Resource
win10v20201028
General
-
Target
Inquiry No TBD-6-5659.doc.rtf
-
Size
2.1MB
-
MD5
1487709f7e0bd31d246132df9e334e9c
-
SHA1
6f4250f4ffa15136852127b7d9dbfeabdd85d020
-
SHA256
49615f1281e974a6f58c4dea63673b24ae8b331a3801788244710a3a19194a7a
-
SHA512
aca6e69fe09e1c8446ffee3047fa3cefc3028ff203edf4d3b964f46b538cf83af5373e0a9e971b010ac568ebddb96e27769f927a0304e5e3d27e930a091fe462
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{6706B8B8-1B0B-47BA-B7FA-346D55763931}\Client.vbs:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Inquiry No TBD-6-5659.doc.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4092-2-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-3-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-4-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB
-
memory/4092-5-0x00007FFFCB4A0000-0x00007FFFCBAD7000-memory.dmpFilesize
6.2MB
-
memory/4092-6-0x00007FFFABD70000-0x00007FFFABD80000-memory.dmpFilesize
64KB