Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 17:31
Behavioral task
behavioral1
Sample
d9a3a6ee60a3d70c7d22ca968a936765.doc
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
d9a3a6ee60a3d70c7d22ca968a936765.doc
Resource
win10v2004-20220812-en
General
-
Target
d9a3a6ee60a3d70c7d22ca968a936765.doc
-
Size
47KB
-
MD5
d9a3a6ee60a3d70c7d22ca968a936765
-
SHA1
fd030ee960bcda4bcf8cadf5b3f4bd042ea19438
-
SHA256
0d9da259d9d65a1b7b56f1c8cd0d4cba4a2b3e9e3c6450e6bcd73bfce8f846b6
-
SHA512
05a7adf7cc5bd9f9fc0da88b992b3f7f3bcf7a6a1c187389361a442539684db2c8f73d24200d5545b4fb46217abf7ad00cc27ac2c7ad847814e813c2cb12c4f7
-
SSDEEP
768:rx5i7l8PFHS1h0p0EdB3qTeJuGfcJj8cmXEb6ijcjcc1jcdtvc0aDpIdbcecVc07:rfO4dpp0SNNJuuEb6iIEvdQfj
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3576 WINWORD.EXE 3576 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
WINWORD.EXEpid process 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE 3576 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d9a3a6ee60a3d70c7d22ca968a936765.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3576-132-0x00007FFC45150000-0x00007FFC45160000-memory.dmpFilesize
64KB
-
memory/3576-133-0x00007FFC45150000-0x00007FFC45160000-memory.dmpFilesize
64KB
-
memory/3576-134-0x00007FFC45150000-0x00007FFC45160000-memory.dmpFilesize
64KB
-
memory/3576-135-0x00007FFC45150000-0x00007FFC45160000-memory.dmpFilesize
64KB
-
memory/3576-136-0x00007FFC45150000-0x00007FFC45160000-memory.dmpFilesize
64KB
-
memory/3576-137-0x00007FFC42D80000-0x00007FFC42D90000-memory.dmpFilesize
64KB
-
memory/3576-138-0x00007FFC42D80000-0x00007FFC42D90000-memory.dmpFilesize
64KB