Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 21:05
Static task
static1
Behavioral task
behavioral1
Sample
72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc
Resource
win10-en-20210920
General
-
Target
72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc
-
Size
21KB
-
MD5
0081b3299ae18a60a7904ada0ad0bb4f
-
SHA1
2973ff43efc2e1084132b4f6124a8661764563cd
-
SHA256
72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73
-
SHA512
87c6cfd0e8c93a1a4dc5051b1f6340e31343732b220d435b952c014511694f9f56e4bf0fea7cb70c2dcbc229b1626ef8ae221211284cf6a62ffa665a9eed74fc
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1812 WINWORD.EXE 1812 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE 1812 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72032bd1b1c1a6ec8ae1762a14aa4092627d49069abaeecb74f3268620c48d73.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1812-115-0x00007FFF78EE0000-0x00007FFF78EF0000-memory.dmpFilesize
64KB
-
memory/1812-116-0x00007FFF78EE0000-0x00007FFF78EF0000-memory.dmpFilesize
64KB
-
memory/1812-117-0x00007FFF78EE0000-0x00007FFF78EF0000-memory.dmpFilesize
64KB
-
memory/1812-118-0x00007FFF78EE0000-0x00007FFF78EF0000-memory.dmpFilesize
64KB
-
memory/1812-119-0x00000211251F0000-0x00000211251F2000-memory.dmpFilesize
8KB
-
memory/1812-120-0x00000211251F0000-0x00000211251F2000-memory.dmpFilesize
8KB
-
memory/1812-121-0x00007FFF78EE0000-0x00007FFF78EF0000-memory.dmpFilesize
64KB
-
memory/1812-122-0x00000211251F0000-0x00000211251F2000-memory.dmpFilesize
8KB