Analysis
-
max time kernel
169s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf
Resource
win10v2004-20220721-en
General
-
Target
72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf
-
Size
2.7MB
-
MD5
5d455092970ee2f4a00ac451ca4d4903
-
SHA1
3912ec755f8a40400ffb684991d2f75cb104cec6
-
SHA256
72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b
-
SHA512
0f0b442d9e51df7573b847418be5aea84b940b9d45010c3c23821ff7b8daec1408e9da2d1f4caca868f5aa76bb9448ecedd339c7892f8db3f9554a3a01fc7b23
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEexcelcnv.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
WINWORD.EXEEXCEL.EXEexcelcnv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily excelcnv.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS excelcnv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU excelcnv.exe -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{BE7937F5-3211-42FE-BEA7-B964C1F605DE}\A.X:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1820 WINWORD.EXE 1820 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
WINWORD.EXEEXCEL.EXEexcelcnv.exepid process 1820 WINWORD.EXE 1820 WINWORD.EXE 1820 WINWORD.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 3440 EXCEL.EXE 2224 excelcnv.exe 1820 WINWORD.EXE 1820 WINWORD.EXE 1820 WINWORD.EXE 1820 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
471B
MD598194ef3188aac75deaa2e16f4a43eb7
SHA131958ae66572514ca49b43082f085813591328b1
SHA2562b8d1f010f6492e8fc6d3432ff8d0a1213adc644046515d2ddabf674876323bc
SHA512186e9b12701b4bcdd02ff0335a3107c9731ec1eb2fbf4d72a7a038fae23a06d1b1f6c6e2a9ad9e4937147a8ff5ba4d740311c6cd9e7a72a2518ae6d2418632c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177Filesize
442B
MD584686e3a5d69c4cedfe10394eebbb173
SHA122759a15b37e7049cfb7a6b7d34a986d2ed8c41a
SHA256b1022323cbbbc6929fbe0c9d70fc48b503f52d37831a3bdfe1c4acffbfe540b0
SHA51263732252788384d0c61efff04683a7517def2c0ee561b7608156dedf32a3af3fb3fabd7c9920c25e95bb4ee31652eaef61c760064546a4c87e438e41db6d0cf5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54B8D47B-AAB5-4AB8-82FC-1617ED222888Filesize
147KB
MD500ac1c4d3377520ad51f78f35cabe62e
SHA1b11534cef95ef2c0578256702688da70c7d153e1
SHA25611c310e2104db8fe0669f4376ac84a75c19ce08bcc1c173a656f232938b1058f
SHA512c08d0429df9c65e4b7f8679afc2cdf4d05f2f94c6b4f03e22e65bf85aa07619f376cdc2a916828e5c44ae356f8166bbc43fed0773b3a654c6510b160c7002d78
-
memory/1820-130-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/1820-131-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/1820-132-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/1820-133-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/1820-134-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/1820-135-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmpFilesize
64KB
-
memory/1820-136-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmpFilesize
64KB
-
memory/2224-149-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/2224-150-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/2224-151-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/2224-148-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/2224-160-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/2224-161-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/3440-155-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/3440-156-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/3440-157-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB
-
memory/3440-158-0x00007FFE58890000-0x00007FFE588A0000-memory.dmpFilesize
64KB