Analysis
-
max time kernel
106s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-05-2021 23:29
Static task
static1
Behavioral task
behavioral1
Sample
46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc
Resource
win10v20210410
General
-
Target
46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc
-
Size
46KB
-
MD5
92fc5df18a99dcc81c00e2f470196c6b
-
SHA1
7f89cced469c8a597b40c1b8c947fc0fee6f57bb
-
SHA256
46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03
-
SHA512
5816601fcdd94bb35dd24937c6a20e635fe7e9d787c7e435f79d4b3251930430a68b62c8591118167f7147059de74e4f03db10481aaca55970d92982aa89eb37
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3904 WINWORD.EXE 3904 WINWORD.EXE 204 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 204 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE 3904 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
5106bb8b784d62d679c794f0006e6a63
SHA1b6304411d18e9dd45c4c5b64764f265e243a990f
SHA2564127e0da1b2487eabd220fec3e386873e797154cedb7c76bdb5d95b63887e41e
SHA512aea9c870f73b42fffb1d73fb2499381db76fb3f47a536772b650896bc9d21b30a674cec8b0720f0d38a039a21593eb046d7161bd743ee68854d3f6549910df5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
fb2758f6738d9f616af579d05a33f78d
SHA1b5f40973bc62da7ba76fc6c3c08b3fc5254a3cef
SHA25666a5894fde2227c599567be26a36d0023a5cdca7d787dc266a6632d67d69cc42
SHA512dcea62dba442924954e629c15cf93fc549c317bce52a1a805d67900f4e4e73a8a251e52db6a6c5b51b439fa46967d296993c25b9904bfecf4719271c2168ff2c
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10573DB9-36CC-4204-AD37-20F04A82F68FMD5
ac64b0f6ca47f432a8bf672ae50f1830
SHA1c5e8837161c517ed5a1635a07a4d0d0b1d56582b
SHA2565852ed4642c98a7ecb67baf74b834a0f34805fb352e7277f087a440c6d876473
SHA512220b5498fce38b84c8c084bf7ab43f29074ad70d47f815f24b9f8a73de9dba9fb3164af530acb92a9046a886e182e27f2bf4630f780a0c769a26fec89cdc6468
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
0a2b1dbb9a03f76841d9149dd31ca530
SHA1102c67d84085d9878644b2060e172eb26e980855
SHA256811a0e3e1bea5a0607ef5cc5391f538ed5e28665cc6955ec1bcd9ab32767def6
SHA512994d5c8bb426639f709ef9b725d1676d67c7f2ddaa69bfc2ee450f6be5509c249375dbbe11516e2dce8ff7ac35ad2e21dc296e19d2735b46998c8cb3d80b2c71
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
1d63b81db3d018bfd0d14a07587f106f
SHA153e1c62736721a0ae35fbd82848586522d1bca02
SHA2564402f3df6df6410b12ab70f55e68c1dfba4c66611f8360ee55ec0049e5874b73
SHA512032f8991a285081aeeee05d229a795911c5061677e62e0054d442ae1d3413aa1a52b3f2eb449451e4ff262ab49b868caa32bb5a041a82e32b085380a0eae6ad0
-
memory/3904-119-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-179-0x0000014FB7210000-0x0000014FB7214000-memory.dmpFilesize
16KB
-
memory/3904-123-0x00007FF83D200000-0x00007FF83F0F5000-memory.dmpFilesize
31.0MB
-
memory/3904-122-0x00007FF83F100000-0x00007FF8401EE000-memory.dmpFilesize
16.9MB
-
memory/3904-118-0x00007FF845680000-0x00007FF8481A3000-memory.dmpFilesize
43.1MB
-
memory/3904-114-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-117-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-116-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB
-
memory/3904-115-0x00007FF824490000-0x00007FF8244A0000-memory.dmpFilesize
64KB