Analysis
-
max time kernel
140s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:38
Behavioral task
behavioral1
Sample
77ee236f62e4013d00327f9378e344dba7cd33e9668b481b2e30f01d6d9e9b08.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
77ee236f62e4013d00327f9378e344dba7cd33e9668b481b2e30f01d6d9e9b08.doc
Resource
win10v2004-20221111-en
General
-
Target
77ee236f62e4013d00327f9378e344dba7cd33e9668b481b2e30f01d6d9e9b08.doc
-
Size
32KB
-
MD5
61ffbd95ac7e829ba6449c8a1743adcf
-
SHA1
f2a0487f5cabc11e5be15d1538e01538f2f963c0
-
SHA256
77ee236f62e4013d00327f9378e344dba7cd33e9668b481b2e30f01d6d9e9b08
-
SHA512
0fab2aca34edba8c28c1302b7323e19aea44c3f9c5f9a65a5f058e25d92e8c44acd89f212511d55513c8a7e683c1bfa02ce7804db3d1d4b6539c472b69b9fe42
-
SSDEEP
192:lQweZxyNPVRpAxgJbsQZeaxS6V7U60zsSf1lzMv7vMj29QvJtDg+zX7:QAYiJb/eeilf1lz0jMjOQvJtM+3
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2972 WINWORD.EXE 2972 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
WINWORD.EXEpid process 2972 WINWORD.EXE 2972 WINWORD.EXE 2972 WINWORD.EXE 2972 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77ee236f62e4013d00327f9378e344dba7cd33e9668b481b2e30f01d6d9e9b08.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2972-132-0x00007FFA91030000-0x00007FFA91040000-memory.dmpFilesize
64KB
-
memory/2972-133-0x00007FFA91030000-0x00007FFA91040000-memory.dmpFilesize
64KB
-
memory/2972-134-0x00007FFA91030000-0x00007FFA91040000-memory.dmpFilesize
64KB
-
memory/2972-135-0x00007FFA91030000-0x00007FFA91040000-memory.dmpFilesize
64KB
-
memory/2972-136-0x00007FFA91030000-0x00007FFA91040000-memory.dmpFilesize
64KB
-
memory/2972-137-0x00007FFA8EFD0000-0x00007FFA8EFE0000-memory.dmpFilesize
64KB
-
memory/2972-138-0x00007FFA8EFD0000-0x00007FFA8EFE0000-memory.dmpFilesize
64KB