Analysis
-
max time kernel
101s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-03-2023 09:21
Static task
static1
Behavioral task
behavioral1
Sample
Josefinabosco Groups Limited RFQ#20230304.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Josefinabosco Groups Limited RFQ#20230304.docx
Resource
win10v2004-20230220-en
General
-
Target
Josefinabosco Groups Limited RFQ#20230304.docx
-
Size
10KB
-
MD5
6d5efe89e5096d4e503cfa45e3be6012
-
SHA1
582580bdcdf8e6075a9bb736a5421e4674ce3750
-
SHA256
5d39d0f94d3ab0ac294f5438619965dfcb56b6347faae2179c115caed2715ca8
-
SHA512
239770ced2b5b104b9dd6394c1528d9bb8a691e0f0518ebe68d6cdabf3fd6298f43667671794f1cd6ef355bd10758e4d5b8a861fa11894d67da96f1af9dace78
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOXFl+CVWBXJC0c3o+:SPXU/slT+LOXFHkZC9j
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4596 WINWORD.EXE 4596 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4596 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE 4596 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Josefinabosco Groups Limited RFQ#20230304.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4596-133-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-134-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-135-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-136-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-137-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-138-0x00007FFC8D070000-0x00007FFC8D080000-memory.dmpFilesize
64KB
-
memory/4596-139-0x00007FFC8D070000-0x00007FFC8D080000-memory.dmpFilesize
64KB
-
memory/4596-176-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-177-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-179-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB
-
memory/4596-178-0x00007FFC8F230000-0x00007FFC8F240000-memory.dmpFilesize
64KB