Analysis
-
max time kernel
116s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 05:52
Static task
static1
Behavioral task
behavioral1
Sample
7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc
Resource
win10v2004-20220414-en
General
-
Target
7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc
-
Size
568KB
-
MD5
a04e3ee9cb2acac19938a07d3baff511
-
SHA1
faecd33c4243d60dd3f2f1c9762cad86c580167f
-
SHA256
7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc
-
SHA512
68fe12990abcef919be6abd36829ee002b82b94be57242eb33b0eb107d6d093f31db2e01556609af0fca9f0af01c7e8ae3a5e77794bd1144b0e9e69c2a71e9a1
Malware Config
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4896 2708 cmd.exe 74 Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4772 2708 cmd.exe 74 -
Executes dropped EXE 1 IoCs
pid Process 4928 Sign.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2708 WINWORD.EXE 2708 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE 2708 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2708 wrote to memory of 4896 2708 WINWORD.EXE 75 PID 2708 wrote to memory of 4896 2708 WINWORD.EXE 75 PID 4896 wrote to memory of 4020 4896 cmd.exe 77 PID 4896 wrote to memory of 4020 4896 cmd.exe 77 PID 2708 wrote to memory of 4772 2708 WINWORD.EXE 78 PID 2708 wrote to memory of 4772 2708 WINWORD.EXE 78 PID 4772 wrote to memory of 4928 4772 cmd.exe 80 PID 4772 wrote to memory of 4928 4772 cmd.exe 80
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e322758fde5bcf3d7929ca4df931514376be80a73eb64eef7db378e0cc0d4cc.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Local\Temp\\Signature.crt C:\Users\Admin\AppData\Local\Temp\\Sign.exe3⤵PID:4020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\\Sign.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\Sign.exeC:\Users\Admin\AppData\Local\Temp\\Sign.exe3⤵
- Executes dropped EXE
PID:4928
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113KB
MD53cd5fa46507657f723719b7809d2d1f9
SHA134ddc14b9a04eba98c3aa1cb27033e12ec847e03
SHA256a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9
SHA512c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442
-
Filesize
113KB
MD53cd5fa46507657f723719b7809d2d1f9
SHA134ddc14b9a04eba98c3aa1cb27033e12ec847e03
SHA256a6dbc36c472b3ba70a98efd0db35e75c340086be15d3c3ab4e39033604d0bcf9
SHA512c589f7628f5ac5db570564abd65a26d6b67467b3064abc08a9e352eeda8bc2e28ea7d1c02e15a145d77ec3aae7ecc1890a999df8bbdf0645c05ccfb41acd2442
-
Filesize
301KB
MD55e152c07eeecd3ac87ab006512995335
SHA12d6e81becabd69ef59b15daf63616011ace87540
SHA256f2de986d091c3d27fb083ab124cdd437275afc287da1aa83a62f391f3f6b56f7
SHA5122deb4c5ea8dbf5e77b0c2d3af3e75d985f585ea435a5da9ce83ad710e44c81f424027de09c13c207d8cd0a6e3467e474f1df360efd11245b1207d796a618cb9c