Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 22:31
Static task
static1
Behavioral task
behavioral1
Sample
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf
Resource
win10v2004-20220721-en
General
-
Target
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf
-
Size
584KB
-
MD5
8b140506ec06ac39293346fe55fe9151
-
SHA1
4cb7f1b6b1aee0398a9fe7d6fa0ddfe21571655e
-
SHA256
a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91
-
SHA512
cac3f2579192fb9c2f79af7930875f6d1acc0e354cf4eb57dd96d135ff768cfdba2b5755afc6e6f63630f4664534a3b3b42e7efab4cd878651f8f613b9729105
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 6 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\ParT2.BiN:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\trbatehtqevyay.ScT:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\gondi.doc:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\uffm.cmd:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\i1mzn.cmd:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{59E5B7F6-31F7-4F39-BE95-92CB92EE3138}\ParT1.BiN:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2216 WINWORD.EXE 2216 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE 2216 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a3c5880da2fdc1e7c07bead5af0a5dda6acb0893b39615b512feb82ddfc24d91.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2216-130-0x00007FF8228D0000-0x00007FF8228E0000-memory.dmpFilesize
64KB
-
memory/2216-131-0x00007FF8228D0000-0x00007FF8228E0000-memory.dmpFilesize
64KB
-
memory/2216-132-0x00007FF8228D0000-0x00007FF8228E0000-memory.dmpFilesize
64KB
-
memory/2216-133-0x00007FF8228D0000-0x00007FF8228E0000-memory.dmpFilesize
64KB
-
memory/2216-134-0x00007FF8228D0000-0x00007FF8228E0000-memory.dmpFilesize
64KB
-
memory/2216-135-0x00007FF81FFC0000-0x00007FF81FFD0000-memory.dmpFilesize
64KB
-
memory/2216-136-0x00007FF81FFC0000-0x00007FF81FFD0000-memory.dmpFilesize
64KB