Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2023 01:00
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order No7000008677.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Purchase Order No7000008677.docx
Resource
win10v2004-20230220-en
General
-
Target
Purchase Order No7000008677.docx
-
Size
10KB
-
MD5
be91688259bce9e527e03f71f38e72e5
-
SHA1
12b1cf1e8d1149734395038ebca455fe108c8ccd
-
SHA256
b50859d6de2a8b9c85dd84f0b19a956ba2029fd833639f20226baefb8b82ed0a
-
SHA512
57ec3e24eb6518229e72be959934f89907c6a9b4e3c06022a09abb168673a386b3b8b31006b2e8019e61f1a7021a032433b9aa3690b5e0669fdfac6b9711d347
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4OYTZus+1pReDnc37+Rl:SPX+si10ni4OY5yeDnMin
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4736 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE 4736 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase Order No7000008677.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4736-133-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-135-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-134-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-136-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-137-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-138-0x00007FFB22F50000-0x00007FFB22F60000-memory.dmpFilesize
64KB
-
memory/4736-140-0x00007FFB22F50000-0x00007FFB22F60000-memory.dmpFilesize
64KB
-
memory/4736-173-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-174-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-175-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB
-
memory/4736-176-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmpFilesize
64KB