79e3db1dc5a6ee8a4ea658e6c649dafd34a7b56be47bd3333775e837a128cd8d

Analysis

max time kernel
114s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-04-2022 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEDITECH's Response to All Nations Family Health Team's Request For Information - 4. 2022 (1).docx
Size

2.1MB
MD5

9519fe4aa02bb2bc7cf1a6b35a8f53d1
SHA1

bbb2a94e9afe83f4cec4fa3c0c45cc48fe4f08c4
SHA256

1f1a9e422eb139a9a1023ed7c1c84dac132e34a6c98cfafa4b1abb50789f89b1
SHA512

2f8fb8b7874ead447be9fc2a910695903640853a3057e08c963f0ba6b80a6d97275d531699e6473a40d3a4815676dc98abfe6b8c005bb4aa4f280d65d7aa36de

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4624 WINWORD.EXE
4624 WINWORD.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE
4624 WINWORD.EXE

pid	process
4624	WINWORD.EXE
4624	WINWORD.EXE

pid	process
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\MEDITECH's Response to All Nations Family Health Team's Request For Information - 4. 2022 (1).docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4624-130-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-131-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-132-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-133-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-134-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-135-0x00007FF8DD240000-0x00007FF8DD250000-memory.dmp

Filesize
64KB

Download
memory/4624-136-0x00007FF8DD240000-0x00007FF8DD250000-memory.dmp

Filesize
64KB

Download
memory/4624-138-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-140-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-139-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download
memory/4624-141-0x00007FF8DFB50000-0x00007FF8DFB60000-memory.dmp

Filesize
64KB

Download