Analysis
-
max time kernel
117s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-10-2021 08:54
Static task
static1
Behavioral task
behavioral1
Sample
工行支ä»_é_šçŸ¥ - ICBC Payment Advice (Ref MT10385748472).docx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
工行支ä»_é_šçŸ¥ - ICBC Payment Advice (Ref MT10385748472).docx
Resource
win10-en-20210920
General
-
Target
工行支ä»_é_šçŸ¥ - ICBC Payment Advice (Ref MT10385748472).docx
-
Size
10KB
-
MD5
431ce22a09ba2fdbf2818559a8e3d765
-
SHA1
4d2a4167f1c115b5cc13348a91adc7ff8a86be91
-
SHA256
dd5a8452993e5300474923f6f48b666bc7157254298568c9325367e35f86f203
-
SHA512
60697715fde6092ecf4a9efbbdf3c20e74b9e903eeac40efe87afc345e03f519114d5e1a333c4f2ef3bbca6580f6b5c41931f15e6323bd942ea8abe7b1b515fd
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4268 WINWORD.EXE 4268 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4268 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 4268 WINWORD.EXE 4268 WINWORD.EXE 4268 WINWORD.EXE 4268 WINWORD.EXE 4268 WINWORD.EXE 4268 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\工行支ä»_é_šçŸ¥ - ICBC Payment Advice (Ref MT10385748472).docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4268-116-0x00007FF8DD160000-0x00007FF8DD170000-memory.dmpFilesize
64KB
-
memory/4268-117-0x00007FF8DD160000-0x00007FF8DD170000-memory.dmpFilesize
64KB
-
memory/4268-118-0x00007FF8DD160000-0x00007FF8DD170000-memory.dmpFilesize
64KB
-
memory/4268-119-0x00007FF8DD160000-0x00007FF8DD170000-memory.dmpFilesize
64KB
-
memory/4268-120-0x000001B03F820000-0x000001B03F822000-memory.dmpFilesize
8KB
-
memory/4268-121-0x000001B03F820000-0x000001B03F822000-memory.dmpFilesize
8KB
-
memory/4268-122-0x00007FF8DD160000-0x00007FF8DD170000-memory.dmpFilesize
64KB
-
memory/4268-123-0x000001B03F820000-0x000001B03F822000-memory.dmpFilesize
8KB
-
memory/4268-140-0x000001B03F820000-0x000001B03F822000-memory.dmpFilesize
8KB