Analysis
-
max time kernel
166s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:06
Behavioral task
behavioral1
Sample
3edd7025b9acf1d28befad9f29f914820782311c7c0ab16b8128387724b9d8a9.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
3edd7025b9acf1d28befad9f29f914820782311c7c0ab16b8128387724b9d8a9.doc
Resource
win10v2004-20221111-en
General
-
Target
3edd7025b9acf1d28befad9f29f914820782311c7c0ab16b8128387724b9d8a9.doc
-
Size
62KB
-
MD5
b288734f0a81ce368fdef9e6f9c6b996
-
SHA1
9ce157ef746722c93e0d90217fc91be1cae36e57
-
SHA256
3edd7025b9acf1d28befad9f29f914820782311c7c0ab16b8128387724b9d8a9
-
SHA512
fa0111a1bfe7fdb7ad1324d199fd895fe497d3531dfb4a77b766b9b1516c7c68179d42ec64b65b602ad427a6902828ec0cea427422c7244ac97840c9324e0ba7
-
SSDEEP
384:T72qb/ufh1iSZfI/PKRIlKNul7LO4iUtn/YbTjXyKwcUgwhliHm1sMFjqKHg60jI:HVjufhpAPobm7K4cTrB3uhliHmDTr
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1512 WINWORD.EXE 1512 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3edd7025b9acf1d28befad9f29f914820782311c7c0ab16b8128387724b9d8a9.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1512-132-0x00007FF9AC3F0000-0x00007FF9AC400000-memory.dmpFilesize
64KB
-
memory/1512-133-0x00007FF9AC3F0000-0x00007FF9AC400000-memory.dmpFilesize
64KB
-
memory/1512-134-0x00007FF9AC3F0000-0x00007FF9AC400000-memory.dmpFilesize
64KB
-
memory/1512-135-0x00007FF9AC3F0000-0x00007FF9AC400000-memory.dmpFilesize
64KB
-
memory/1512-136-0x00007FF9AC3F0000-0x00007FF9AC400000-memory.dmpFilesize
64KB
-
memory/1512-137-0x00007FF9A9AC0000-0x00007FF9A9AD0000-memory.dmpFilesize
64KB
-
memory/1512-138-0x00007FF9A9AC0000-0x00007FF9A9AD0000-memory.dmpFilesize
64KB
-
memory/1512-139-0x0000022A188BA000-0x0000022A188BC000-memory.dmpFilesize
8KB