Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 08:12
Static task
static1
Behavioral task
behavioral1
Sample
6262bcfae7b85c6ad43b2d8cec89f6b9a5b09c2e903c9316f33a7e6a5cdadb0f.rtf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6262bcfae7b85c6ad43b2d8cec89f6b9a5b09c2e903c9316f33a7e6a5cdadb0f.rtf
Resource
win10v2004-20220414-en
General
-
Target
6262bcfae7b85c6ad43b2d8cec89f6b9a5b09c2e903c9316f33a7e6a5cdadb0f.rtf
-
Size
1.0MB
-
MD5
fdd2d4cb27f4542ac7467c432d46b9ae
-
SHA1
6798ffbb650b453c091bb787075eb2a1bfd99c26
-
SHA256
6262bcfae7b85c6ad43b2d8cec89f6b9a5b09c2e903c9316f33a7e6a5cdadb0f
-
SHA512
7d67a431ff1e69f67d61928ab79bd5d09f0a991c589070fea395f97b7aa7c50e0241f4b627c87d294e23fa152ee204ce240781ce6ba82919345c3fde61be7a46
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 4 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{AE40145A-27E8-4F64-A85B-88E3437D8DB8}\1.zip:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{AE40145A-27E8-4F64-A85B-88E3437D8DB8}\a.ScT:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{AE40145A-27E8-4F64-A85B-88E3437D8DB8}\uffm.cmd:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{AE40145A-27E8-4F64-A85B-88E3437D8DB8}\itnqknf5.cmd:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3772 WINWORD.EXE 3772 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE 3772 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6262bcfae7b85c6ad43b2d8cec89f6b9a5b09c2e903c9316f33a7e6a5cdadb0f.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3772-130-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/3772-131-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/3772-132-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/3772-133-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/3772-134-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/3772-135-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmpFilesize
64KB
-
memory/3772-136-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmpFilesize
64KB