Analysis
-
max time kernel
169s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 17:31
Behavioral task
behavioral1
Sample
0a2ee50102559c3c9adae0e59d2b6cd62a96b44d54dc5f8618e9df483f2bca3e.dot
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0a2ee50102559c3c9adae0e59d2b6cd62a96b44d54dc5f8618e9df483f2bca3e.dot
Resource
win10v2004-20220812-en
General
-
Target
0a2ee50102559c3c9adae0e59d2b6cd62a96b44d54dc5f8618e9df483f2bca3e.dot
-
Size
38KB
-
MD5
4665b7bf13d90a1a15a0a1fdc69c78bf
-
SHA1
ee657ef3b3bd8baf643d6274a6005d4f17edd489
-
SHA256
0a2ee50102559c3c9adae0e59d2b6cd62a96b44d54dc5f8618e9df483f2bca3e
-
SHA512
2ceee0b4642a47dcbe1c974b1fb7c1e89afc2027be36d4cb973a55d283c91ac05b8be9043008096552c924a759f4e8c1defd21e38bb21986094e1c8d7ed2109a
-
SSDEEP
384:WwH1l1MgR5oysYa57rCtzZqDn1jilzeiAfMji8ZYnit:31l1Mm5oya5sZk3/6ZWit
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE 1456 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0a2ee50102559c3c9adae0e59d2b6cd62a96b44d54dc5f8618e9df483f2bca3e.dot" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-135-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-136-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-137-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-138-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-139-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-140-0x00007FFB19520000-0x00007FFB19530000-memory.dmpFilesize
64KB
-
memory/1456-141-0x00007FFB19520000-0x00007FFB19530000-memory.dmpFilesize
64KB
-
memory/1456-143-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-144-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-145-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB
-
memory/1456-146-0x00007FFB1B8F0000-0x00007FFB1B900000-memory.dmpFilesize
64KB