9c3464db25278e4abef2e72a7fdbdd5303c39976f76e53b464a453598fe9fdb7

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
11-04-2022 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

=?iso-8859-9?Q?Minutes_of_Meeting-Toplant=FD_Tutana=F0=FD-(Eng)-31.03.22.docx
Size

29KB
MD5

53255286f68b46ec88d1114971f39336
SHA1

7bcb3e0440b8a298cda989dbd12794ff4c7968ab
SHA256

65076ea9c7be899fb71bab55c28e16add2aeee619b01ac97b316895fdafaf12d
SHA512

cf84056c6e7e9b5f9b17fdac90bfd539a78fe7d530c31df41e017f4a6ef6d2ffd450e17e31e8b11a7c65517eec59525a5c6b7d4a91d8a3a30095cda477f0706f

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1784 WINWORD.EXE
1784 WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE
1784	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\=_iso-8859-9_Q_Minutes_of_Meeting-Toplant=FD_Tutana=F0=FD-(Eng)-31.03.22.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-124-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-125-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-126-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-127-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-128-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-129-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-130-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-131-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download
memory/1784-132-0x00007FFEB7CB0000-0x00007FFEB7CC0000-memory.dmp

Filesize
64KB

Download