Analysis
-
max time kernel
688s -
max time network
704s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
000003_20221206.rtf
Resource
win7-20220901-en
windows7-x64
23 signatures
600 seconds
Behavioral task
behavioral2
Sample
000003_20221206.rtf
Resource
win10v2004-20221111-en
windows10-2004-x64
4 signatures
600 seconds
General
-
Target
000003_20221206.rtf
-
Size
3KB
-
MD5
feb31139c26b083f45bac3fedd811e2d
-
SHA1
8c2b7d9d9a953a9f944c141498724da53624a12c
-
SHA256
6b0f67636b41da6d6f69d57dd2b421c140ee5090c168eb09b08357c00eb1963d
-
SHA512
487bc1ff45089071a6cdfbe9c6637285d7549fc4c011e8ec8fc4827609c531219d3c53b5516e03a48d07b623e7f904fc3f43c48c59a941a31918c5229996eba7
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
WINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\000003_20221206.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3724-132-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-134-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-133-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-135-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-136-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-137-0x00007FFAC0890000-0x00007FFAC08A0000-memory.dmpFilesize
64KB
-
memory/3724-138-0x00007FFAC0890000-0x00007FFAC08A0000-memory.dmpFilesize
64KB
-
memory/3724-140-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-141-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-142-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB
-
memory/3724-143-0x00007FFAC2D90000-0x00007FFAC2DA0000-memory.dmpFilesize
64KB