Analysis
-
max time kernel
117s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-05-2021 05:55
Static task
static1
Behavioral task
behavioral1
Sample
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43.doc
Resource
win10v20210408
General
-
Target
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43.doc
-
Size
25KB
-
MD5
1b0ed0e20af94b6d930124f520bac212
-
SHA1
7ee9857bac313ee0c14fa76464367be36616fa71
-
SHA256
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43
-
SHA512
09471761a617d4b89576ce3e3d1cd608126b74b0c1ec5eddf00e01446308184c36bf38361e66b2bbc1488d37a8f10fe6c2ce369f1850d805fbb15b993fed0725
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-114-0x00007FF882460000-0x00007FF882470000-memory.dmpFilesize
64KB
-
memory/1456-115-0x00007FF882460000-0x00007FF882470000-memory.dmpFilesize
64KB
-
memory/1456-116-0x00007FF882460000-0x00007FF882470000-memory.dmpFilesize
64KB
-
memory/1456-117-0x00007FF882460000-0x00007FF882470000-memory.dmpFilesize
64KB
-
memory/1456-119-0x00007FF882460000-0x00007FF882470000-memory.dmpFilesize
64KB
-
memory/1456-118-0x00007FF8A3BD0000-0x00007FF8A66F3000-memory.dmpFilesize
43.1MB
-
memory/1456-122-0x00007FF89DD70000-0x00007FF89EE5E000-memory.dmpFilesize
16.9MB
-
memory/1456-123-0x00007FF89BB20000-0x00007FF89DA15000-memory.dmpFilesize
31.0MB