ec2a5471a7309321ccd5aa24c3471c900dcfc9aeb357359d46e79ac65da27020

Analysis

max time kernel
143s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
13-03-2021 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documenti,03.11.2021.doc
Size

76KB
MD5

6d03104da5d4553116fa45badb829dc9
SHA1

971d1e446ec4a03ab2e41bfa3326bb1b8b688945
SHA256

ec2a5471a7309321ccd5aa24c3471c900dcfc9aeb357359d46e79ac65da27020
SHA512

cb1c7069b51e95726b819fd27ee6a576cdf873089bae6ed7ce68cecc6f3a09214f13f04e3abfeca735dcdae0c0fdbbbcf657c0a3b55d95adffa97790fc1e5007

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

860 WINWORD.EXE
860 WINWORD.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE
860	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documenti,03.11.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:860

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-2-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

Filesize
64KB

Download
memory/860-3-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

Filesize
64KB

Download
memory/860-4-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

Filesize
64KB

Download
memory/860-5-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

Filesize
64KB

Download
memory/860-6-0x00007FFB80F20000-0x00007FFB81557000-memory.dmp

Filesize
6.2MB

Download
memory/860-7-0x00000275FF1B0000-0x00000275FF1B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads