Analysis
-
max time kernel
182s -
max time network
207s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 06:48
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_OFFER_3098_5RFQ-5914.rtf
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ_OFFER_3098_5RFQ-5914.rtf
Resource
win10-en-20211208
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ_OFFER_3098_5RFQ-5914.rtf
-
Size
2.2MB
-
MD5
150261328c9acaecc66968ae0efd37ee
-
SHA1
19eeff6bfc783323a85950682958f5e006c5b0e8
-
SHA256
c796080f9c704855e94c27f3126628cc1434b252ae6a8168de81865d7e4eb20a
-
SHA512
c3bb944949065d71fbdeb054c2d6ac59a52a4e023207087a2c2ae5d8b5b6ed292d01d2405120913e683e7a903fc259719d35c33001aa72e30df74b2d6a5197f0
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{FFD98A21-B872-4B8F-8342-2411F4BC60CF}\Client.vbs:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 980 WINWORD.EXE 980 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 980 WINWORD.EXE 980 WINWORD.EXE 980 WINWORD.EXE 980 WINWORD.EXE 980 WINWORD.EXE 980 WINWORD.EXE 980 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ_OFFER_3098_5RFQ-5914.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-115-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/980-116-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/980-117-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/980-118-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/980-119-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmpFilesize
64KB
-
memory/980-122-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmpFilesize
64KB
-
memory/980-125-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmpFilesize
64KB