Analysis
-
max time kernel
179s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:45
Static task
static1
Behavioral task
behavioral1
Sample
f13461cb929fdd13347e61ee6e0fa686e2d196d20b397e4f1a94c1355cc33c78.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f13461cb929fdd13347e61ee6e0fa686e2d196d20b397e4f1a94c1355cc33c78.doc
Resource
win10v2004-20220414-en
General
-
Target
f13461cb929fdd13347e61ee6e0fa686e2d196d20b397e4f1a94c1355cc33c78.doc
-
Size
152KB
-
MD5
0e4a9c1e41152ff1fd39f5c68664473e
-
SHA1
af493165908f1387c65cf90bf3f8b772fbca0c65
-
SHA256
f13461cb929fdd13347e61ee6e0fa686e2d196d20b397e4f1a94c1355cc33c78
-
SHA512
2c21e82c788a955c3beec27c387427a01d8b3ef426b23b43b5560748b0bf62a074731f0b882c19165fd6f29e5229cccd9c01b18901a3f52a64ce237179ace825
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4960 WINWORD.EXE 4960 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE 4960 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f13461cb929fdd13347e61ee6e0fa686e2d196d20b397e4f1a94c1355cc33c78.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4960-130-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmpFilesize
64KB
-
memory/4960-131-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmpFilesize
64KB
-
memory/4960-132-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmpFilesize
64KB
-
memory/4960-133-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmpFilesize
64KB
-
memory/4960-134-0x00007FFD2ACB0000-0x00007FFD2ACC0000-memory.dmpFilesize
64KB
-
memory/4960-135-0x00007FFD28750000-0x00007FFD28760000-memory.dmpFilesize
64KB
-
memory/4960-136-0x00007FFD28750000-0x00007FFD28760000-memory.dmpFilesize
64KB