Analysis
-
max time kernel
102s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
ae8177f5019805fcbf381c6c3cae2e1c53beefab4ea871e54fe48bbd6ef64c82.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ae8177f5019805fcbf381c6c3cae2e1c53beefab4ea871e54fe48bbd6ef64c82.doc
Resource
win10v2004-20220901-en
General
-
Target
ae8177f5019805fcbf381c6c3cae2e1c53beefab4ea871e54fe48bbd6ef64c82.doc
-
Size
26KB
-
MD5
41213738288fe27dd6062a1a4392f51b
-
SHA1
7439d6f7ff23f6ad96f9cebf87170df7926fb15e
-
SHA256
ae8177f5019805fcbf381c6c3cae2e1c53beefab4ea871e54fe48bbd6ef64c82
-
SHA512
4067a9a12aa8bfba108969315a251f18fd352b6855371820f72e1aa51f4f37099f384ec2ae18d14762b8ca0666665fecaba8943670b49fd55e6abe51d85afebd
-
SSDEEP
192:g8TmTNZnfUnNqTxTmTlRBUCVq5tTDTQTC+fuUU+I3T9B802mp36L/6IZZZlwv7lN:V6VV6ctXks3XsN/6UDwv7lT
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ae8177f5019805fcbf381c6c3cae2e1c53beefab4ea871e54fe48bbd6ef64c82.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-132-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-133-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-134-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-135-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-136-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-137-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmpFilesize
64KB
-
memory/632-138-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmpFilesize
64KB
-
memory/632-140-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-141-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-142-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB
-
memory/632-143-0x00007FFE73230000-0x00007FFE73240000-memory.dmpFilesize
64KB