5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d

Analysis

max time kernel
121s
max time network
146s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zakaz na pokupku 21-10-2021.doc
Size

4KB
MD5

e205f10f887754bd65281f14c25c0f21
SHA1

b356aab56ba5eb993326e4ede7e254e7181aa165
SHA256

5d77fcbee204c6b9fea6ec4bda5216714e2e46f4247f673956e64e36a9c3424d
SHA512

cd43d1cb4193ef5aa4f77a290e186a4e87d55f42a61b502cbc2beeb2044613855e82553effca9f6bcda5cd4174c8c0ce6989774530c3b68c7a612ba26c2ef0a2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4080 WINWORD.EXE
4080 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4080 WINWORD.EXE
4080 WINWORD.EXE
4080 WINWORD.EXE
4080 WINWORD.EXE
4080 WINWORD.EXE
4080 WINWORD.EXE
4080 WINWORD.EXE

pid	process
4080	WINWORD.EXE
4080	WINWORD.EXE

pid	process
4080	WINWORD.EXE
4080	WINWORD.EXE
4080	WINWORD.EXE
4080	WINWORD.EXE
4080	WINWORD.EXE
4080	WINWORD.EXE
4080	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Zakaz na pokupku 21-10-2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-115-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

Filesize
64KB

Download
memory/4080-116-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

Filesize
64KB

Download
memory/4080-117-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

Filesize
64KB

Download
memory/4080-118-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

Filesize
64KB

Download
memory/4080-119-0x00007FFEF14B0000-0x00007FFEF14C0000-memory.dmp

Filesize
64KB

Download
memory/4080-121-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp

Filesize
8KB

Download
memory/4080-120-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp

Filesize
8KB

Download
memory/4080-122-0x00000189CA3E0000-0x00000189CA3E2000-memory.dmp

Filesize
8KB

Download