Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
technographsri invoice 26.07.2022.docm
Resource
win7-20220715-en
General
-
Target
technographsri invoice 26.07.2022.docm
-
Size
3.4MB
-
MD5
330b1f2f4183479441f25530c993fc41
-
SHA1
c35987c7062aefada74ae4dfd89c0e8798026299
-
SHA256
038167147ac824ac2ebbaee81b7c442694149368c2a40c99d7fbf630e3fda7a2
-
SHA512
1b8ac0f8fd9aff670f684b57526089625099813c07327bd5dbd680929dbe92e4a2f77e7a93afa172c72957894566f522ed441b2f73d4fca2b04d9f879dcd18de
Malware Config
Signatures
-
Detects SVCReady loader 1 IoCs
resource yara_rule behavioral2/memory/440-145-0x0000000010000000-0x0000000010091000-memory.dmp family_svcready -
Executes dropped EXE 1 IoCs
pid Process 440 rCA89.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 440 rCA89.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4404 WINWORD.EXE 4404 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4404 WINWORD.EXE 4404 WINWORD.EXE 4404 WINWORD.EXE 4404 WINWORD.EXE 4404 WINWORD.EXE 4404 WINWORD.EXE 4404 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4404 wrote to memory of 440 4404 WINWORD.EXE 82 PID 4404 wrote to memory of 440 4404 WINWORD.EXE 82 PID 4404 wrote to memory of 440 4404 WINWORD.EXE 82
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\technographsri invoice 26.07.2022.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\rCA89.tmp.exe"C:\Users\Admin\AppData\Local\Temp\rCA89.tmp.exe" "C:\Users\Admin\AppData\Local\Temp\yCA88.tmp.dll",DllRegisterServer2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:440
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
1.3MB
MD5a484630dcbd57dfd48ab5fa0dc6a5268
SHA1707b2a7abb4572bbbee0d479834bc3e910bba3e2
SHA256f343fba9c1a8b5f43e74f9ed3ca9d495f431aefcc0ff2bbaa5c97efce34f82d8
SHA512bee23e2dea9def226667727e03a5f2055efc9bac09a6da536e449487efbcd6d533efca59c3bfc6eeb33cd2a3f1e6221b9f5f6c3ec75160a311367327b5b6ef3b
-
Filesize
1.3MB
MD5a484630dcbd57dfd48ab5fa0dc6a5268
SHA1707b2a7abb4572bbbee0d479834bc3e910bba3e2
SHA256f343fba9c1a8b5f43e74f9ed3ca9d495f431aefcc0ff2bbaa5c97efce34f82d8
SHA512bee23e2dea9def226667727e03a5f2055efc9bac09a6da536e449487efbcd6d533efca59c3bfc6eeb33cd2a3f1e6221b9f5f6c3ec75160a311367327b5b6ef3b