Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:50
Static task
static1
Behavioral task
behavioral1
Sample
f2973c6947472704baf28e9db060471323d290d4a4d74f41389b6cb83f3efd7b.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f2973c6947472704baf28e9db060471323d290d4a4d74f41389b6cb83f3efd7b.doc
Resource
win10v2004-20220414-en
General
-
Target
f2973c6947472704baf28e9db060471323d290d4a4d74f41389b6cb83f3efd7b.doc
-
Size
9KB
-
MD5
ee4338ee50fa964115235527c63bb479
-
SHA1
e97768b0eeacc33805e98c9ef7928e02150d8355
-
SHA256
f2973c6947472704baf28e9db060471323d290d4a4d74f41389b6cb83f3efd7b
-
SHA512
b328ba0d6bcb5ba35bc5fc1e9ad56b055647d252e926acb07a0df1fc4b8a3b0fc5d39f3cd213d122a5f713e138fcf692b5393226ebc63df6a821aa0c2320e931
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4680 WINWORD.EXE 4680 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f2973c6947472704baf28e9db060471323d290d4a4d74f41389b6cb83f3efd7b.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4680-130-0x00007FFBA71B0000-0x00007FFBA71C0000-memory.dmpFilesize
64KB
-
memory/4680-131-0x00007FFBA71B0000-0x00007FFBA71C0000-memory.dmpFilesize
64KB
-
memory/4680-132-0x00007FFBA71B0000-0x00007FFBA71C0000-memory.dmpFilesize
64KB
-
memory/4680-133-0x00007FFBA71B0000-0x00007FFBA71C0000-memory.dmpFilesize
64KB
-
memory/4680-134-0x00007FFBA71B0000-0x00007FFBA71C0000-memory.dmpFilesize
64KB
-
memory/4680-135-0x00007FFBA5150000-0x00007FFBA5160000-memory.dmpFilesize
64KB
-
memory/4680-136-0x00007FFBA5150000-0x00007FFBA5160000-memory.dmpFilesize
64KB