Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-01-2021 17:54
Behavioral task
behavioral1
Sample
$RY22222G17222222222M9.doc
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
$RY22222G17222222222M9.doc
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
$RY22222G17222222222M9.doc
-
Size
399KB
-
MD5
908cb0ed7bdd34f4712318c8f2c75020
-
SHA1
acadaf2905c51eeff68ae9f4e9e15b1d29848de4
-
SHA256
6f1eadba6e73d7451a46ae74d2dc9e7d31c9d119e739c44c35e7fbef7e121c69
-
SHA512
dc297307efd3675fe6e4ecf930291b7d844ed700465d4072b62cb8e3b821989a7c2ecb9497a1c422beea4b7f132f74c61853fa62c7311e14b5b1e980b30ee7ba
Score
5/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid Process 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid Process 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE 576 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid Process procid_target PID 576 wrote to memory of 2440 576 WINWORD.EXE 75 PID 576 wrote to memory of 2440 576 WINWORD.EXE 75
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$RY22222G17222222222M9.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2440
-