0edd773875311776998229b0609be9f287c37ca828b35f74c6c2f0cbdd99449f

Resubmissions

24-01-2023 14:50

230124-r7rn9sdg4x 10

23-01-2023 18:47

230123-xe7snseg35 10

Analysis

max time kernel
124s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order.rtf
Size

42KB
MD5

8ad8c615dab288132971594224aa8f4e
SHA1

dbd94f5775c44c674c2470e39e39bd60386b9740
SHA256

0edd773875311776998229b0609be9f287c37ca828b35f74c6c2f0cbdd99449f
SHA512

dfa228af6fecc10c8097dbb86ed6c05dff9cde4881b2e34387ed09e9ebad140ddcc96065cf41e05a2acfdac3efad07c7c064346aa00f5f45632d904fb5f6c9d3
SSDEEP

768:aFx0XaIsnPRIa4fwJM2Fx0XaIsnPRIa4fwJMTUjOlan0Sp3jfsFDs:af0Xvx3EM2f0Xvx3EMYjJVfsi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
1960 WINWORD.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

WINWORD.EXEEXCEL.EXE

pid	process
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE
3388	EXCEL.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
83a0e7f8dfbbf31a3030ddc6ae81663a

SHA1
064cedc52b40e2e349ec636f5e6a03fe91044c47

SHA256
a3fb75053cd75aa71f8cffbf7e875f8aec24080a9b07245d7ff178510ac9cb0b

SHA512
50183e7cfd020c88e39f3ef588675fe16a9d0428b5d23c433a625d74a521031f88d5fa357f6f1f4b93af20e2ae704d9425d0c9081773ee2f0d4bf53bc1a7e7cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
30afe8bb03553ebf9846c93e69eae115

SHA1
751bc15c49505a3fa9e7d8991b1c1dfed2ec3bac

SHA256
7a4b8bc90cda03913d37a7fc40085d120b4ceccf9182d30408655aeebeb59831

SHA512
0a2894b60d3dbb4ae4f6733408e90fcf7719c8753afe1984472b7a481bfa53836316f0baa718e2f4bfa9aa35915b9acce516681918722b8a77d08a2cc5fb1781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10CA7916-6A11-4BDA-9D3A-9BC378726A54

Filesize
149KB

MD5
ab04002d54d5673ac98a35661dde71d3

SHA1
d9a12a544cc768ee3ea25e0adfa3420953d529d4

SHA256
a2da14628b0f70f9636ea3589a5ea294b611f5cf7110a5d825dab10dca15abfd

SHA512
2298996bb4e764fb32d819ed76437e4c071ac36bbdc540bb5f310028c05a4fb90c583f3ee8414a412f8276124ff5dcfe7cc1d8208951d3a31eb5f8086547e227

Download Submit
memory/1960-132-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/1960-133-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/1960-134-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/1960-135-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/1960-136-0x00007FF7FA290000-0x00007FF7FA2A0000-memory.dmp

Filesize
64KB

Download
memory/1960-137-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download
memory/1960-138-0x00007FF7F7930000-0x00007FF7F7940000-memory.dmp

Filesize
64KB

Download