12f9fa3254d0d89e25a50ffdba394231e436ab5aa7b2440005c396ca4132df5c

Analysis

max time kernel
106s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
10-05-2021 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc
Size

46KB
MD5

92fc5df18a99dcc81c00e2f470196c6b
SHA1

7f89cced469c8a597b40c1b8c947fc0fee6f57bb
SHA256

46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03
SHA512

5816601fcdd94bb35dd24937c6a20e635fe7e9d787c7e435f79d4b3251930430a68b62c8591118167f7147059de74e4f03db10481aaca55970d92982aa89eb37

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3904 WINWORD.EXE
3904 WINWORD.EXE
204 WINWORD.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
204	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE
3904	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\46c15fa7bfa39d2beef250ada9dbee211dd632dfc80bde513d934002ae663f03.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
5106bb8b784d62d679c794f0006e6a63

SHA1
b6304411d18e9dd45c4c5b64764f265e243a990f

SHA256
4127e0da1b2487eabd220fec3e386873e797154cedb7c76bdb5d95b63887e41e

SHA512
aea9c870f73b42fffb1d73fb2499381db76fb3f47a536772b650896bc9d21b30a674cec8b0720f0d38a039a21593eb046d7161bd743ee68854d3f6549910df5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
fb2758f6738d9f616af579d05a33f78d

SHA1
b5f40973bc62da7ba76fc6c3c08b3fc5254a3cef

SHA256
66a5894fde2227c599567be26a36d0023a5cdca7d787dc266a6632d67d69cc42

SHA512
dcea62dba442924954e629c15cf93fc549c317bce52a1a805d67900f4e4e73a8a251e52db6a6c5b51b439fa46967d296993c25b9904bfecf4719271c2168ff2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10573DB9-36CC-4204-AD37-20F04A82F68F
MD5
ac64b0f6ca47f432a8bf672ae50f1830

SHA1
c5e8837161c517ed5a1635a07a4d0d0b1d56582b

SHA256
5852ed4642c98a7ecb67baf74b834a0f34805fb352e7277f087a440c6d876473

SHA512
220b5498fce38b84c8c084bf7ab43f29074ad70d47f815f24b9f8a73de9dba9fb3164af530acb92a9046a886e182e27f2bf4630f780a0c769a26fec89cdc6468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
0a2b1dbb9a03f76841d9149dd31ca530

SHA1
102c67d84085d9878644b2060e172eb26e980855

SHA256
811a0e3e1bea5a0607ef5cc5391f538ed5e28665cc6955ec1bcd9ab32767def6

SHA512
994d5c8bb426639f709ef9b725d1676d67c7f2ddaa69bfc2ee450f6be5509c249375dbbe11516e2dce8ff7ac35ad2e21dc296e19d2735b46998c8cb3d80b2c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
1d63b81db3d018bfd0d14a07587f106f

SHA1
53e1c62736721a0ae35fbd82848586522d1bca02

SHA256
4402f3df6df6410b12ab70f55e68c1dfba4c66611f8360ee55ec0049e5874b73

SHA512
032f8991a285081aeeee05d229a795911c5061677e62e0054d442ae1d3413aa1a52b3f2eb449451e4ff262ab49b868caa32bb5a041a82e32b085380a0eae6ad0

Download Submit
memory/3904-119-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

Filesize
64KB

Download
memory/3904-179-0x0000014FB7210000-0x0000014FB7214000-memory.dmp

Filesize
16KB

Download
memory/3904-123-0x00007FF83D200000-0x00007FF83F0F5000-memory.dmp

Filesize
31.0MB

Download
memory/3904-122-0x00007FF83F100000-0x00007FF8401EE000-memory.dmp

Filesize
16.9MB

Download
memory/3904-118-0x00007FF845680000-0x00007FF8481A3000-memory.dmp

Filesize
43.1MB

Download
memory/3904-114-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

Filesize
64KB

Download
memory/3904-117-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

Filesize
64KB

Download
memory/3904-116-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

Filesize
64KB

Download
memory/3904-115-0x00007FF824490000-0x00007FF8244A0000-memory.dmp

Filesize
64KB

Download