Analysis
-
max time kernel
139s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 01:20
Behavioral task
behavioral1
Sample
947c7641e172dc80204d8fc130d31a138fb8358ecfd3c95f065af7dd1ee19ff0.doc
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
947c7641e172dc80204d8fc130d31a138fb8358ecfd3c95f065af7dd1ee19ff0.doc
Resource
win10v2004-20220812-en
General
-
Target
947c7641e172dc80204d8fc130d31a138fb8358ecfd3c95f065af7dd1ee19ff0.doc
-
Size
61KB
-
MD5
4036517378b8bd555c5235b4491b5899
-
SHA1
72d2c8ed1740f0fdb5f1b5d03e60f0ab35014e46
-
SHA256
947c7641e172dc80204d8fc130d31a138fb8358ecfd3c95f065af7dd1ee19ff0
-
SHA512
ba6a78305f225fd83a4349a847ad8365d39d51505e7b175f0775c22daf5151aa79edbeeadbd03bf22703191a98a50ce749f5ab588d8c00a8d226e430b81759ff
-
SSDEEP
384:Teq+WD793eXXgLmWReCie7CqYrLmrXdjjjjjjjjjdjjdjjV+jpZiSZfI/PKRe6/8:KEpZRqNVAPoFDd1JYDpxz99I1cry2gQ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4848 WINWORD.EXE 4848 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE 4848 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\947c7641e172dc80204d8fc130d31a138fb8358ecfd3c95f065af7dd1ee19ff0.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4848-132-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-133-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-137-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/4848-138-0x00007FFD188D0000-0x00007FFD188E0000-memory.dmpFilesize
64KB
-
memory/4848-140-0x0000010B4CA53000-0x0000010B4CA55000-memory.dmpFilesize
8KB
-
memory/4848-141-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-142-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-143-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4848-144-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB