Analysis
-
max time kernel
142s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 09:32
Behavioral task
behavioral1
Sample
附件1.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
附件1.xls
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
附件2.doc
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
附件2.doc
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
附件3.doc
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
附件3.doc
Resource
win10v2004-20220812-en
General
-
Target
附件3.doc
-
Size
36KB
-
MD5
f6c12cc0dc52657c0443fb9975c69aea
-
SHA1
e11fb95e341917756544756e406e19abe0b64a9c
-
SHA256
6abad60606d919e684cfe9d77164c0c66b1596c0c5c2fbf618d92a2510d51ae2
-
SHA512
6a108feb8b99a54d62e05fdd4f2723ea7c28a40c7410a599680b690a9571d0c773c92c7cf2cd2be543533f1038893209025c1acb544185f1576f82b9d6532ba8
-
SSDEEP
192:LZWHUMrekWH/Lmf+4Gx4HloVPlo1+loWlotWJAVRlmCs2CGG1/tTO9rhr2N7SZ9k:LU9Wfq7H2s+BFYRvpITILyGa0yIqen
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5012 WINWORD.EXE 5012 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE 5012 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\附件3.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5012-132-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/5012-133-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/5012-134-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/5012-135-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/5012-136-0x00007FFFADAD0000-0x00007FFFADAE0000-memory.dmpFilesize
64KB
-
memory/5012-137-0x00007FFFAB600000-0x00007FFFAB610000-memory.dmpFilesize
64KB
-
memory/5012-138-0x00007FFFAB600000-0x00007FFFAB610000-memory.dmpFilesize
64KB