Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 08:27
Static task
static1
Behavioral task
behavioral1
Sample
file.doc
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.doc
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.doc
-
Size
81KB
-
MD5
dd733ee22089eb90bc22d67f153b5fc7
-
SHA1
7e5205c24030350e5a7609616fc3259126f5b0a6
-
SHA256
52b73dfbe12fa8408c9d9df2b56d8053c393efd8ddd82016606217748fc396e3
-
SHA512
29fc48706cda11344ebea19af761711f844d5ed7acdf2953fe678b139ab68cbff678315dc588d9aedabc13ab24456b983dc36da086de10cf739dd30d994f93bf
Score
5/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3584 WINWORD.EXE 3584 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE 3584 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3584-2-0x00007FFB667A0000-0x00007FFB667B0000-memory.dmpFilesize
64KB
-
memory/3584-3-0x00007FFB667A0000-0x00007FFB667B0000-memory.dmpFilesize
64KB
-
memory/3584-4-0x00007FFB667A0000-0x00007FFB667B0000-memory.dmpFilesize
64KB
-
memory/3584-5-0x00007FFB667A0000-0x00007FFB667B0000-memory.dmpFilesize
64KB
-
memory/3584-6-0x00007FFB85F00000-0x00007FFB86537000-memory.dmpFilesize
6.2MB
-
memory/3584-7-0x00007FFB62FD0000-0x00007FFB62FE0000-memory.dmpFilesize
64KB
-
memory/3584-8-0x0000023CB9AD0000-0x0000023CB9AD4000-memory.dmpFilesize
16KB