Overview

overview

10

Static

static

8702469e99...41.rtf

windows7-x64

1

8702469e99...41.rtf

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8702469e99e76ebfb73f28848cc10ca8fd9c8dabeedb9559a9bb4239dfba0941.rtf

  • Size

    447KB

  • MD5

    9eb2158d227eff7fc4a332bb82f0cd90

  • SHA1

    b00650953c80493ff396ce0b20c59929b898e941

  • SHA256

    8702469e99e76ebfb73f28848cc10ca8fd9c8dabeedb9559a9bb4239dfba0941

  • SHA512

    7fe51c8c873f448ff00197e1e2208be733fae246095438aa0e953c7cc8dac82e59d9f6ea6faaad36c3f6752a9b08f0aeac51931e04732e31d4353685a3829b04

  • SSDEEP

    6144:qaEwDKFznFIzXFUc4crsdYIaAeM3pQw7RUejwJHYmbEbkO98uaFDFLSVh/rnH:vtScbEbkLDxSVVrH

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8702469e99e76ebfb73f28848cc10ca8fd9c8dabeedb9559a9bb4239dfba0941.rtf" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3944
      • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
        "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\JPEGIM32.FLT
        2⤵
        • Process spawned unexpected child process
        PID:4136
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1308

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_1458\AC\Temp\FLC289.tmp
        Filesize

        25KB

        MD5

        d8a8176ab9e7504d6af2b7216cc6ad1d

        SHA1

        d440f698fd666e11502635bf91ab8a8be3376ccc

        SHA256

        dca454b88ece53b28d84fe6492a94a0b93c91be840d647e2a645fe5f4b8e1f39

        SHA512

        730a10fc2b176c0be3987e7e4321819e454c18d8c0d8ba455d90551bf0f1e29cb5f329e6c245c598196965bacc438a29f6944772fb6ac3755b36e00e6b69c7fc

        Download Submit
      • memory/2672-138-0x00007FFFBAAF0000-0x00007FFFBAB00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-134-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-135-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-136-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-137-0x00007FFFBAAF0000-0x00007FFFBAB00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-133-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-132-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-151-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-148-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-149-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2672-150-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3944-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4136-140-0x0000000000000000-mapping.dmp
        Download
      • memory/4136-145-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4136-144-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4136-142-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4136-143-0x00007FFFBCD90000-0x00007FFFBCDA0000-memory.dmp
        Filesize

        64KB

        Download