Analysis
-
max time kernel
265s -
max time network
267s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-06-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
instruct_06.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
instruct_06.21.doc
Resource
win10v20210408
General
-
Target
instruct_06.21.doc
-
Size
45KB
-
MD5
b21183bab3178f2dcd753e9d079501d4
-
SHA1
d4bc00863ed58580f568de4152dade19df2e8a08
-
SHA256
943660aff538730507a4e2feb526a1441024ef48e7aaa4515088c80062658f56
-
SHA512
1fff8e91407ed20d885e9d309c72d775295993f0dfc7587d37494ca66c8b6d0fe2343f4972db00ffcec5585a331c18cfcebd2c1082639fe01f696c9f9121a958
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3008 WINWORD.EXE 3008 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE 3008 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instruct_06.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
1df8c47949f9b5d4ab72a4e5a16040d4
SHA1725e67a98b4014bae66504e2395b9dc02a7dff04
SHA2568ed73c477b6049fbe8aeb72ef139701fbec7798766d506a9dd20c9f00cac52ed
SHA512ef9711bb4ca26bd7055371ee4e7052aac99709350cdb854d0d7c9f89a25a51e833b58aba6261a5a2519cbffe1d25071f8d9e5a994dc92d2346ee58587d507520
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
da5c27934ffcdd736323a6c57f5ad8f8
SHA12e83e5fe94af7f45c87c36f7d3fa2492d65931c2
SHA256df4e4d4384c82f7c88c58d71f863f064d49bca10428e791dec5a2fad0bacdeb8
SHA512d836b972bd5547c3da55d3b4fa44c8f451528fb1023c42e80e7f758f357ac26f90de6218ad442ea387f687fabb551bd1ee683c2e032d5fd1df5bdc26f9c7eec4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
e780c05fedd0c186661dbbe7bce00a11
SHA1f617bf626525a50e27b9e648913bcf60d1f553ca
SHA256ef14ec397377ba4bf8245d35b42ef109d613cc23a25bb6f41adb212b4addd37f
SHA512e6c88e8aa958f740df68c076eeed5bfe8fd51b74b521b45b0da9dde3bdfbcd38f3b72cddd542972a66aa77ed9e4ab66c1414697a683e4835c8fff86123ade4d6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
e780c05fedd0c186661dbbe7bce00a11
SHA1f617bf626525a50e27b9e648913bcf60d1f553ca
SHA256ef14ec397377ba4bf8245d35b42ef109d613cc23a25bb6f41adb212b4addd37f
SHA512e6c88e8aa958f740df68c076eeed5bfe8fd51b74b521b45b0da9dde3bdfbcd38f3b72cddd542972a66aa77ed9e4ab66c1414697a683e4835c8fff86123ade4d6
-
memory/3008-118-0x00007FFFDF870000-0x00007FFFE2393000-memory.dmpFilesize
43.1MB
-
memory/3008-123-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmpFilesize
31.0MB
-
memory/3008-122-0x0000028D709B0000-0x0000028D71A9E000-memory.dmpFilesize
16.9MB
-
memory/3008-114-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-119-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-117-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-116-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3008-115-0x00007FFFBE230000-0x00007FFFBE240000-memory.dmpFilesize
64KB
-
memory/3952-153-0x00007FFFD7C90000-0x00007FFFD9B85000-memory.dmpFilesize
31.0MB
-
memory/3952-152-0x00000255D57F0000-0x00000255D68DE000-memory.dmpFilesize
16.9MB
-
memory/3952-148-0x00007FFFDF870000-0x00007FFFE2393000-memory.dmpFilesize
43.1MB