Analysis
-
max time kernel
137s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder-PO300122.rtf
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NewOrder-PO300122.rtf
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
NewOrder-PO300122.rtf
-
Size
2.2MB
-
MD5
a9c56c16c6c705510fea0b1419f87ec0
-
SHA1
b6274154f6f8301de35df1c346d534a0c782ec6d
-
SHA256
278a01105105ba46b8303bb8933c4a3010aa7098342460ab4090e3ddbafb19ab
-
SHA512
6f127ca937b147b616d563ab2eb1535488d0187a5bd8aa9b7d70ad3462a1d4899f7be47095a60251aaf1381a1f13fea8d247d1775995ed9f1c2b0d82f9788e32
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{E00C569A-5A8D-40FF-BB9A-42BB4F2748CD}\Client.vbs:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1896 WINWORD.EXE 1896 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1896 WINWORD.EXE 1896 WINWORD.EXE 1896 WINWORD.EXE 1896 WINWORD.EXE 1896 WINWORD.EXE 1896 WINWORD.EXE 1896 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NewOrder-PO300122.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1896-117-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-118-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-119-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-120-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-121-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-124-0x00007FFB3FD60000-0x00007FFB3FD70000-memory.dmpFilesize
64KB
-
memory/1896-125-0x00007FFB3FD60000-0x00007FFB3FD70000-memory.dmpFilesize
64KB
-
memory/1896-325-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-326-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-327-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB
-
memory/1896-328-0x00007FFB428B0000-0x00007FFB428C0000-memory.dmpFilesize
64KB