Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 10:37
Static task
static1
Behavioral task
behavioral1
Sample
contract invoce.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
contract invoce.doc
Resource
win10v20201028
General
-
Target
contract invoce.doc
-
Size
132KB
-
MD5
85585f5162a053f177019cec24e86375
-
SHA1
720f60ada0426fe82aabaa4c3f8db95c2e09b07a
-
SHA256
9c9d3701bb36c5fc3498ca7d57d553ee644ddd6daa8e551b80b2d109bdd08d35
-
SHA512
6f1f1fae3a7d5a16611df9f46e78b57d72721499b7ad7b79bc2054d71b02c9245338a8f6ffd19e4b23944ae511c08c9eb02e788bbe26e5b940703b41bd9c38ea
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
POWERPNT.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEPOWERPNT.EXEpid process 4716 WINWORD.EXE 4716 WINWORD.EXE 804 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEPOWERPNT.EXEpid process 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 4716 WINWORD.EXE 804 POWERPNT.EXE 804 POWERPNT.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\contract invoce.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\UninstallResume.ppsm" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
22ba402e0739745b8696dd96469a51f0
SHA19e96368116f98716356816f5788f9b121a1145f8
SHA2565fc371f8c7a7d9f430866ad606d43872f0b138384d684a1aa88207ed937d34c7
SHA5123dcbb7b6ffe1580492cfe7db070c4b13abb71e582b8c1ed224353bdab48e5e91a13dd123afd1ddd4fb0bbebb0f9cde5f129777ea18daba627ab0f0e2fa0a7c36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
e86763e8ca85a2b9d0a8b2be4f7908c8
SHA1da0897b52062efdcbc93fbbeeac54f991ecad6c3
SHA256c8bcbec80afde0e9ff112a39c449030676fc4c3be5f67adff4a7a33448f61ba8
SHA512b8aa1a755b85e462e86ffe7f14f46e614cd83131a11b4374c0f0f0b16bc3825e3eca0a9b8d19536eac4e0fbeab81c9ce13a8104fa6765e1592ac434e73ebe245
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E28A66AA-6CDA-4909-8915-128BE54AB5FDMD5
212acd105ae954863f03c1e373150144
SHA177112b0044b11dae917957ae26781cf06b4300e1
SHA25629ee2563782511d8e85216c706ebf0a62eea9e90ebf9e0b446058df1031267ec
SHA5128319a8dfe7a78712ac55ab0390922742c2a94c0f4d37f20a7b9873ef7fa35c8475a5e0784a154192b7e9aa13e3525c28c15afe966fa0c6df98bf7d630217c095
-
memory/804-14-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/804-19-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/804-17-0x00007FF861140000-0x00007FF861777000-memory.dmpFilesize
6.2MB
-
memory/804-16-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/804-15-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-7-0x00007FF861990000-0x00007FF8644B3000-memory.dmpFilesize
43.1MB
-
memory/4716-11-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-12-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-13-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-10-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-9-0x00007FF861990000-0x00007FF8644B3000-memory.dmpFilesize
43.1MB
-
memory/4716-8-0x00007FF861990000-0x00007FF8644B3000-memory.dmpFilesize
43.1MB
-
memory/4716-2-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-6-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-5-0x000001B36FF90000-0x000001B3705C7000-memory.dmpFilesize
6.2MB
-
memory/4716-4-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB
-
memory/4716-3-0x00007FF83FDE0000-0x00007FF83FDF0000-memory.dmpFilesize
64KB