Analysis
-
max time kernel
115s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 11:51
Static task
static1
Behavioral task
behavioral1
Sample
Order list.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Order list.rtf
Resource
win10v2004-20220812-en
General
-
Target
Order list.rtf
-
Size
32KB
-
MD5
4fb9a0f253fae2dcd2ebd9327855706e
-
SHA1
61f9c00a4f2cb2c5acefc497bbe9c035ef4b5b8b
-
SHA256
306caca869e40f7d5a867f3ab7e91493886210888715b26f55578517a75889ad
-
SHA512
425f9fdf36be24da077f907cfda97c7dd4f24a8995cf2902bdd0526490667e7efc5c8387c294a279fd457f833fa660d0067d42282096b2bb15a9cd16415e9ef0
-
SSDEEP
768:XFx0XaIsnPRIa4fwJMFM4BZj163DLZQexNoGF88fVvif:Xf0Xvx3EM3BZY332ANdvif
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4648 WINWORD.EXE 4648 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE 4648 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order list.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4648-132-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-133-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-134-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-135-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-136-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-137-0x00007FF85A490000-0x00007FF85A4A0000-memory.dmpFilesize
64KB
-
memory/4648-138-0x00007FF85A490000-0x00007FF85A4A0000-memory.dmpFilesize
64KB
-
memory/4648-140-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-141-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-142-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB
-
memory/4648-143-0x00007FF85CAD0000-0x00007FF85CAE0000-memory.dmpFilesize
64KB