Analysis
-
max time kernel
175s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 21:27
Behavioral task
behavioral1
Sample
f88a9beabec75fc688e70e0493b03f63.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f88a9beabec75fc688e70e0493b03f63.doc
Resource
win10v2004-20221111-en
General
-
Target
f88a9beabec75fc688e70e0493b03f63.doc
-
Size
22KB
-
MD5
f88a9beabec75fc688e70e0493b03f63
-
SHA1
b8dba68da2148e6024f0edf8280238e28a225a7c
-
SHA256
c52cc1c9962580a704649ec255cdb29d2aa9f3b6ea6a812acb56fa8ffabdbbb6
-
SHA512
7aa397a1824d1545c9590273bc45bbf694e2077f6e966656b3811791b38ddf1b3f14e4da134213471999689a6e2a8944a490728081cca6b35d73b03d5c851507
-
SSDEEP
384:am+peI/iGNIt56STxhukyzQ/+CKg45D/KEStS5:H+peIqGe56HW+5gUrjV
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4696 WINWORD.EXE 4696 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE 4696 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f88a9beabec75fc688e70e0493b03f63.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4696-135-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmpFilesize
64KB
-
memory/4696-136-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmpFilesize
64KB
-
memory/4696-137-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmpFilesize
64KB
-
memory/4696-138-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmpFilesize
64KB
-
memory/4696-139-0x00007FF7D09D0000-0x00007FF7D09E0000-memory.dmpFilesize
64KB
-
memory/4696-140-0x00007FF7CE970000-0x00007FF7CE980000-memory.dmpFilesize
64KB
-
memory/4696-141-0x00007FF7CE970000-0x00007FF7CE980000-memory.dmpFilesize
64KB