Overview

overview

10

Static

static

8

5728eee655...8b.doc

windows7_x64

10

5728eee655...8b.doc

windows10-2004_x64

4

Analysis

  • max time kernel
    58s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 06:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b.doc

  • Size

    136KB

  • MD5

    1c3e971b11c75df46d5e0e28050eb876

  • SHA1

    7b38f2b3317139733aa4a8f2e4eef86e9c1f4de7

  • SHA256

    5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b

  • SHA512

    067f76924e47bcabd339a57a6c7345274a3275db79dfdd4e5761c15213c11a317f96474921681eec36d6113c44b31f00c74aae35d58393397315f8743aeb7f7c

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5728eee65538ea548f875a51d731267536d0f7234add1d2d4eb1c2282220b28b.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:272
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 35952f57ff435f5e89164ea26bb19854 oKiVtAUHI0eiN+pErxxmDg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1920
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4260

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1456-130-0x00007FFF598D0000-0x00007FFF598E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-131-0x00007FFF598D0000-0x00007FFF598E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-132-0x00007FFF598D0000-0x00007FFF598E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-133-0x00007FFF598D0000-0x00007FFF598E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-134-0x00007FFF598D0000-0x00007FFF598E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-135-0x00007FFF57130000-0x00007FFF57140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-136-0x00007FFF57130000-0x00007FFF57140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4260-149-0x000001F7A99E0000-0x000001F7A99E4000-memory.dmp
      Filesize

      16KB

      Download