3a7245ad086904c37686d967c01ff39ec3e08681aaff6fa2853445ca7870ec18

Analysis

max time kernel
205s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

申报农艺师相关表格及材料/各职称系列共用的/袋底.doc
Size

30KB
MD5

152d9585045792954d2580b5e4db31aa
SHA1

e48388de9df92edbe48a177ad040835077f69788
SHA256

d9d2b29b1b4326c964931948ff3f89dd49752fb060b5bde65fd27e4b8706d20d
SHA512

4136f6c2916d72c41f7c897f59ed13ad5f145b1523ac729ba6e849c1ac6639e63e2fe29cea1ad86a703f27b2b68d936a73ed30158981a4587b0dd61459d8c737
SSDEEP

192:5ggTTssOXI0BAhV3NsYzWe/zWH6z4rTnonzFm:5ggTYsYI06hV3iYzWKzWH6z4vonc

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4512 WINWORD.EXE
4512 WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE
4512	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\申报农艺师相关表格及材料\各职称系列共用的\袋底.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4512-132-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-133-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-134-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-135-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-136-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-137-0x00007FF8BE900000-0x00007FF8BE910000-memory.dmp

Filesize
64KB

Download
memory/4512-138-0x00007FF8BE900000-0x00007FF8BE910000-memory.dmp

Filesize
64KB

Download
memory/4512-140-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-142-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-141-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download
memory/4512-143-0x00007FF8C0C50000-0x00007FF8C0C60000-memory.dmp

Filesize
64KB

Download