Analysis
-
max time kernel
103s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-04-2021 16:02
Static task
static1
Behavioral task
behavioral1
Sample
e9251e1f_by_Libranalysis.doc
Resource
win7v20210408
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
e9251e1f_by_Libranalysis.doc
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
e9251e1f_by_Libranalysis.doc
-
Size
10KB
-
MD5
e9251e1f304381e9bfcd08dbfd576ce5
-
SHA1
dcee651dbfb6f9154a3b4170a65d88c9905fa031
-
SHA256
2af39f18d2425772d604b14a66fa078ba7b2e7c1b252d9b9d6700f50023f72d2
-
SHA512
a0bbe31458b3043258a0383045ca00bdc34ff217c01ffdc2159d80b5755f72d5967e7d79f386d89bc766f222194dc52cef8021b42aad9b8443ff50296cad5a0f
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4448 WINWORD.EXE 4448 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4448 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE 4448 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9251e1f_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4448-114-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4448-115-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4448-116-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4448-117-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4448-119-0x00007FF9B4570000-0x00007FF9B4580000-memory.dmpFilesize
64KB
-
memory/4448-118-0x00007FF9D5780000-0x00007FF9D82A3000-memory.dmpFilesize
43.1MB
-
memory/4448-122-0x00007FF9D0AC0000-0x00007FF9D1BAE000-memory.dmpFilesize
16.9MB
-
memory/4448-123-0x00007FF9CD9E0000-0x00007FF9CF8D5000-memory.dmpFilesize
31.0MB