Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 16:30
Static task
static1
Behavioral task
behavioral1
Sample
New PO.doc__.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
New PO.doc__.rtf
Resource
win10v2004-20220812-en
General
-
Target
New PO.doc__.rtf
-
Size
24KB
-
MD5
f53e284bae498d64482cd230ca73b0b6
-
SHA1
14a7620d0b23c9e56d87b1f1a1e294d1e59d7d10
-
SHA256
9d483b95136f3daa77fb94176c2141d3460986f275b63404c89c703b4b11e658
-
SHA512
5bf9d995847111eecdbbb46ea59306239cddd2118ad95236ce6538bf23b2a5d0dbb5f0c106acbed5df269375d8510dd8a8d1b08f1b984d58ec34664a8641fe39
-
SSDEEP
384:BTQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ4Z/Exg3Likbl8lk5xoQayFcV:BJFx0XaIsnPRIa4fwJMCplR8m5x5aogb
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1404 WINWORD.EXE 1404 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE 1404 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New PO.doc__.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1404-132-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-134-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-133-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-135-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-136-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-137-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmpFilesize
64KB
-
memory/1404-138-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmpFilesize
64KB
-
memory/1404-140-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-141-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-142-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB
-
memory/1404-143-0x00007FFA22010000-0x00007FFA22020000-memory.dmpFilesize
64KB