Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
中医院上网清单/启东中医院门诊大楼装饰工程(经济标).xml
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
中医院上网清单/启东中医院门诊大楼装饰工程(经济标).xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
中医院上网清单/材料暂估价表.xls
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
中医院上网清单/材料暂估价表.xls
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
中医院上网清单/编制说明.doc
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
中医院上网清单/编制说明.doc
Resource
win10v2004-20220812-en
General
-
Target
中医院上网清单/编制说明.doc
-
Size
32KB
-
MD5
7b5b441435c4d53a1cf1de7cb96d2611
-
SHA1
d423c8cd3eb3a995d88f450e300e575525dea8da
-
SHA256
9ec861774c910268d54268a7cf1b6a8c69cc9e5fa1514e1ac6359a3f2c00e0ef
-
SHA512
e674b443f2aa4badc9c97f23af8c467e663ec0f7518e618104faf2b5d37c72074d2792081d6efdcf684cc90993cfcdfc8902700b43e6007d1901f4ccc17eb9eb
-
SSDEEP
384:Z7ZheVhSe76+1244NHEMugC9YXo3obe9YfmLYe9YKoZ9:Z7ze6NHylNi
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3312 WINWORD.EXE 3312 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE 3312 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\中医院上网清单\编制说明.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3312-132-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-133-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-134-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-135-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-136-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-137-0x00007FF9997B0000-0x00007FF9997C0000-memory.dmpFilesize
64KB
-
memory/3312-138-0x00007FF9997B0000-0x00007FF9997C0000-memory.dmpFilesize
64KB
-
memory/3312-140-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-141-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-142-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB
-
memory/3312-143-0x00007FF99C110000-0x00007FF99C120000-memory.dmpFilesize
64KB