Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef.doc
Resource
win10v2004-20220812-en
General
-
Target
9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef.doc
-
Size
32KB
-
MD5
7b5b441435c4d53a1cf1de7cb96d2611
-
SHA1
d423c8cd3eb3a995d88f450e300e575525dea8da
-
SHA256
9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef
-
SHA512
e674b443f2aa4badc9c97f23af8c467e663ec0f7518e618104faf2b5d37c72074d2792081d6efdcf684cc90993cfcdfc8902700b43e6007d1901f4ccc17eb9eb
-
SSDEEP
384:Z7ZheVhSe76+1244NHEMugC9YXo3obe9YfmLYe9YKoZ9:Z7ze6NHylNi
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1712 WINWORD.EXE 1712 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE 1712 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1712
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-132-0x00007FFCE8AF0000-0x00007FFCE8B00000-memory.dmpFilesize
64KB
-
memory/1712-134-0x00007FFCE8AF0000-0x00007FFCE8B00000-memory.dmpFilesize
64KB
-
memory/1712-133-0x00007FFCE8AF0000-0x00007FFCE8B00000-memory.dmpFilesize
64KB
-
memory/1712-135-0x00007FFCE8AF0000-0x00007FFCE8B00000-memory.dmpFilesize
64KB
-
memory/1712-136-0x00007FFCE8AF0000-0x00007FFCE8B00000-memory.dmpFilesize
64KB
-
memory/1712-137-0x00007FFCE6700000-0x00007FFCE6710000-memory.dmpFilesize
64KB
-
memory/1712-138-0x00007FFCE6700000-0x00007FFCE6710000-memory.dmpFilesize
64KB