Analysis
-
max time kernel
103s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf
Resource
win10v2004-20220414-en
General
-
Target
f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf
-
Size
2.7MB
-
MD5
1d5e6ffddf61cdd7d45facea5170b492
-
SHA1
3329bc4cfbfd1c89a20624385cec7f6dc75eedfd
-
SHA256
f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c
-
SHA512
e40a143845422c9702519c8c13f45c55cf8a7fa1bad5d0a7ae38c752146be1ec7b35019f258f3ecc1dffaf8e8313d1070f6589752a50ae772bf13ee24967ddf3
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEexcelcnv.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString excelcnv.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
WINWORD.EXEEXCEL.EXEexcelcnv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{8B067F4F-5421-4E29-A1C7-02CDCA3BA495}\A.X:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4740 WINWORD.EXE 4740 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
WINWORD.EXEEXCEL.EXEexcelcnv.exepid process 4740 WINWORD.EXE 4740 WINWORD.EXE 4740 WINWORD.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 3948 EXCEL.EXE 1476 excelcnv.exe 4740 WINWORD.EXE 4740 WINWORD.EXE 4740 WINWORD.EXE 4740 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f8cd4a33eda9a85b62efa976b8ab19439064247858796405e4fb1cc1c3443b8c.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD570290ce8fd1849e8ae1db80d69b0f692
SHA15108716ac4195f33d65b0bdd974ead6f0f193365
SHA2561347ab96e5fa080b35192928c05e3bc07d5d319fdfe7328e6b0334e09c1f69d4
SHA512394b9310eb7fa7b12b7703105faf9dec9660c9296a946d1e400e0fec78dd60e9565af1876821123bc66b24de667f07b848ffae6446b417e223ba2107bd350b39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
442B
MD5865ee77bea70c83a2f12a01dfac13732
SHA1f7d8d86db28d271f0b9bb2d856d3b43f8e5a165e
SHA256aaf60e8f07336292ac861494bcfd394e194817288fd096379063eaaa764659a3
SHA512806ab28ec3bcdba80e9ec5a52d61a4485068f0f4113f1bc9cb3995db82f69692d207a608eacde82cd1bbf574389e6df721e094c49856326065a63bc89737b283
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EA63496D-1C3D-43F4-B430-0490AEB7F53AFilesize
146KB
MD59efecd9bf42cbbe0e5fce0575d046fa8
SHA1e55786c45f71c3d7f7f68f7f07a45ca9a650c96b
SHA256245be707a245bbeceda4ca9205c06f9a60f847c9a4328d05264bcb669bcab0a3
SHA5120c9608268ad7765cd85ea18e5de07ac665cdb7ef4b1ee974de8853a27616bf58f7e6157994e948d4b76ddbe5bc57457cbea4995ffed301d9464113ff2a088a90
-
memory/1476-148-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/1476-159-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/1476-158-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/1476-150-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/1476-149-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/1476-147-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/3948-156-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/3948-154-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/3948-153-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/3948-155-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/4740-136-0x00007FFA8F1E0000-0x00007FFA8F1F0000-memory.dmpFilesize
64KB
-
memory/4740-135-0x00007FFA8F1E0000-0x00007FFA8F1F0000-memory.dmpFilesize
64KB
-
memory/4740-130-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/4740-134-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/4740-133-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/4740-132-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB
-
memory/4740-131-0x00007FFA91870000-0x00007FFA91880000-memory.dmpFilesize
64KB