Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:58
Static task
static1
Behavioral task
behavioral1
Sample
967f8ce36c47d7f80da8c768bf6119484eb9883cf3743490a628770609379b7b.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
967f8ce36c47d7f80da8c768bf6119484eb9883cf3743490a628770609379b7b.doc
Resource
win10v2004-20220414-en
General
-
Target
967f8ce36c47d7f80da8c768bf6119484eb9883cf3743490a628770609379b7b.doc
-
Size
13KB
-
MD5
a5a53d89ff770b51ce94578222d14a8d
-
SHA1
ccadd75200efc601b58a6bb4bb6f0b76d1f11e24
-
SHA256
967f8ce36c47d7f80da8c768bf6119484eb9883cf3743490a628770609379b7b
-
SHA512
f777265f37895fb36a6a69d91b7341d5ff6692ca3f884d4ae416b9b12f42655bd6433c933fc108fe834ae4184f67f911a991a51d7f8d03c8df1b43f024ba1764
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4048 WINWORD.EXE 4048 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
WINWORD.EXEpid process 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE 4048 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967f8ce36c47d7f80da8c768bf6119484eb9883cf3743490a628770609379b7b.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4048-130-0x00007FF848730000-0x00007FF848740000-memory.dmpFilesize
64KB
-
memory/4048-132-0x00007FF848730000-0x00007FF848740000-memory.dmpFilesize
64KB
-
memory/4048-131-0x00007FF848730000-0x00007FF848740000-memory.dmpFilesize
64KB
-
memory/4048-133-0x00007FF848730000-0x00007FF848740000-memory.dmpFilesize
64KB
-
memory/4048-134-0x00007FF848730000-0x00007FF848740000-memory.dmpFilesize
64KB
-
memory/4048-135-0x00007FF845FE0000-0x00007FF845FF0000-memory.dmpFilesize
64KB
-
memory/4048-136-0x00007FF845FE0000-0x00007FF845FF0000-memory.dmpFilesize
64KB