313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37.doc
Size

115KB
MD5

7cf2a5dfb0c0777e0670aea29cb3a97b
SHA1

ddbcdccf41d8386ae5183415c3ce139a6a010efb
SHA256

313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37
SHA512

e87fbf56de867d4b895db24dd7c7abb2fedfcf020ed004e636bb5bf4b5b51b8f9a2da534b7077eab822b42f939891c217ca162d4b1334bf3ded7bbc611fbb92c
SSDEEP

3072:WFJ6s9d9fP4LvppgFS8tvJpIl/2016CMnryG1e:bs9grpwSQpIl7IryMe

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 820 wscript.exe
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

32 3708 wscript.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	820	wscript.exe

flow	pid	process
32	3708	wscript.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4948 WINWORD.EXE
4948 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE
4948	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\313a743ed5558caa203fd873c22a178d6e4fed8c3ca75d40f827eeedccf31c37.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\system32\wscript.exe
wscript.exe //e:vbscript //b C:\Users\Admin\AppData\Roaming\Microsoft\Templates\1589989024.xml
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\1589989024.xml

Filesize
190B

MD5
eb7426a8b9e544057246dbb2027d6f3f

SHA1
8646086619816068ffcdde0d440dee3b45db3a18

SHA256
65e4b48d32aececc74fcecbee233ab8d83e60199c6e7b0b0aeaf55d1652fd607

SHA512
60b36164e7e7cc078d9097990680ee2233662d015918abc5a9ff5a797003f702a5cb1de640272678642cd806aa02bc37120aa9ba7f619fe87f64e737a14ca00e

Download Submit
memory/4948-132-0x00007FFE21190000-0x00007FFE211A0000-memory.dmp

Filesize
64KB

Download
memory/4948-133-0x00007FFE21190000-0x00007FFE211A0000-memory.dmp

Filesize
64KB

Download
memory/4948-134-0x00007FFE21190000-0x00007FFE211A0000-memory.dmp

Filesize
64KB

Download
memory/4948-135-0x00007FFE21190000-0x00007FFE211A0000-memory.dmp

Filesize
64KB

Download
memory/4948-136-0x00007FFE21190000-0x00007FFE211A0000-memory.dmp

Filesize
64KB

Download
memory/4948-137-0x00007FFE1F130000-0x00007FFE1F140000-memory.dmp

Filesize
64KB

Download
memory/4948-138-0x00007FFE1F130000-0x00007FFE1F140000-memory.dmp

Filesize
64KB

Download