2a833009846ddec0a37867a66613b521a0a8974653ebdb1caa7be804f8f2de36

Analysis

max time kernel
153s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

开心炉石 V3.51_破解版/使用前必看.doc
Size

638KB
MD5

9398f1e04bf34b39c56ee2d0823b9d9e
SHA1

926365f2186b0a63e5d5b42933499f42df993344
SHA256

10db95c9a3235bd88f7cf5e6d9da3aabb9461da6bbd6515701ef3e66656a92fd
SHA512

143d24888eb28d4ee436b4ec6e6d63658bebd931de98ea1b429d07f2e486e92ac60d55b7cf4ff53094c87dad72c72812a58c403c0ce03069cdc0eccd62e6e2fc
SSDEEP

12288:EN9fHq6WBhPtK6s/c6F79SGsYMAp1tXSiZEYw2XGarRjNAJW4QoFB1v:MtTWBhDG/VAcMAp14ehNA4K

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1668 WINWORD.EXE
1668 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE
1668	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\开心炉石 V3.51_破解版\使用前必看.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-132-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-133-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-134-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-135-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-136-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-137-0x00007FFB6E6B0000-0x00007FFB6E6C0000-memory.dmp

Filesize
64KB

Download
memory/1668-138-0x00007FFB6E6B0000-0x00007FFB6E6C0000-memory.dmp

Filesize
64KB

Download
memory/1668-140-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-141-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-142-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download
memory/1668-143-0x00007FFB70CF0000-0x00007FFB70D00000-memory.dmp

Filesize
64KB

Download