Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 16:01
Static task
static1
Behavioral task
behavioral1
Sample
77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc
Resource
win10v20210408
General
-
Target
77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc
-
Size
46KB
-
MD5
b597371a6096565c712d498c5d23aae6
-
SHA1
866fa4cd4918cb99405cd78cf2fb475212106ebd
-
SHA256
77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea
-
SHA512
feebb44b6a8ff7d142154000fc76e9255f519b2d5935e047f381f60c8cff20c6273dc0e515dc88d5fd6908456bf97176f47316085211fe6ee9092e48f7130f5d
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 672 WINWORD.EXE 672 WINWORD.EXE 2128 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 2128 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE 672 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77a5159c1b276c88f513d71aed1ecd7d40aeb864a2cb26da646a5a9634b747ea.bin.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:672
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
ef8bf968b61edcbb962d7206ef3b28cc
SHA11e6c01e874017e3475437d177071702464da1777
SHA2561be9699dde66ef381d3b935afeb7d09724e9065532e7a37b725c6141d49e2eba
SHA51200ec6fe6d1ddd9818a7c981edf1f9b1b7eb91f3651bd2800bfe67d769088ae36e740a8f28edf885930b82790ae0befa1fdc4e7588cbbfb79193af6ea2e9b3b11
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
2862f27f316b4d2f47b4964c2fe111e5
SHA193be745fca2c2aa1ab3edaaa1d9b06dbffe94705
SHA2560864fd7765347269362abaa75a418ad98c6a3ab271aa70616165dde2b2a2d13e
SHA5129fe9bd74ccf0639106b416f79f22f41243c8de92ae398e68797092aaaac517b51eb1fdc860d8a731251e1dd6bbd4647dbfd5f47bc387d763b9cf74c75a8c0d4e
-
memory/672-119-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-179-0x000001C4F13E0000-0x000001C4F13E4000-memory.dmpFilesize
16KB
-
memory/672-123-0x00007FF8C6780000-0x00007FF8C8675000-memory.dmpFilesize
31.0MB
-
memory/672-122-0x00007FF8C9130000-0x00007FF8CA21E000-memory.dmpFilesize
16.9MB
-
memory/672-118-0x00007FF8CDC40000-0x00007FF8D0763000-memory.dmpFilesize
43.1MB
-
memory/672-114-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-117-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-116-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB
-
memory/672-115-0x00007FF8ACF90000-0x00007FF8ACFA0000-memory.dmpFilesize
64KB