df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b

Analysis

max time kernel
101s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b.docm
Size

69KB
MD5

584c41316433d07ee47da0d29f03d523
SHA1

e23e03a469d49e8abec172c3e6ed62dd7bb1a14f
SHA256

df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b
SHA512

dc0148dda5f543b10e1318c7038c8ee036da1439dfe3e20b321f18d3531d19e10740e81dd10308631091375d3acaaabd87e064795d2b2f4a8f639e5f1efe0f61
SSDEEP

1536:1bmVED3EOz7x0B4pNUsmNIsR+5Z5nG05BiRakr:NmV9u/aNIsonVBi0kr

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3436 WINWORD.EXE
3436 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE
3436	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\df09cf54be956ad32c29af6cd96cc33ae65416f54704a0f068ed0c5b0678a90b.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3436-132-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-134-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-133-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-135-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-136-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-137-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/3436-138-0x00007FFB61FD0000-0x00007FFB61FE0000-memory.dmp

Filesize
64KB

Download
memory/3436-140-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-141-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-142-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download
memory/3436-143-0x00007FFB64030000-0x00007FFB64040000-memory.dmp

Filesize
64KB

Download