Analysis
-
max time kernel
119s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
471e3984_by_Libranalysis.doc
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
471e3984_by_Libranalysis.doc
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
471e3984_by_Libranalysis.doc
-
Size
10KB
-
MD5
471e39840386d6b9c8e565123a389364
-
SHA1
d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
-
SHA256
012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
-
SHA512
13b841bab9f2ef3ce9a27854a09682ba8983df16b4551e997359511f19decb94f85b23b3811f742fd99fdb7f2985b8063a6444b6c556e7cbafebf8f4b3f4a1e5
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2840 WINWORD.EXE 2840 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 2840 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE 2840 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\471e3984_by_Libranalysis.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2840-114-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/2840-115-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/2840-116-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/2840-117-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/2840-119-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/2840-118-0x00007FFFE0260000-0x00007FFFE2D83000-memory.dmpFilesize
43.1MB
-
memory/2840-122-0x000001FEC8090000-0x000001FEC917E000-memory.dmpFilesize
16.9MB
-
memory/2840-123-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmpFilesize
31.0MB