8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad

Analysis

max time kernel
262s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad.docx
Size

579KB
MD5

b7e63b7247be18cdfb36c1f3200c1dba
SHA1

53a1b84d67b8be077f6d1dd244159262f7d1a0f9
SHA256

8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad
SHA512

27a3d0c5a0b2aa07d0ee3881f579748027be363d4d3a5df4b89330d4f532f0b9dc121f56c83810676f0c92ed2602f307de7398986410ef96470808e8d5fc9526
SSDEEP

12288:auXRsLOD6YzxHg2HVkHA1bGuifOSQmuDgclpIyVinK9DfXI7uDQLFxCGCQi86:auXRs6WaxA8nGjwmwWKdfbKPnNH6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\https:\cstc-spares-vip-163.dowmload.net\14668\1\1228\2\0\0\0\m\files-403a1120\file.rtf	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4860	WINWORD.EXE
4860	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeAuditPrivilege	4860	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4860	WINWORD.EXE
4860	WINWORD.EXE
4860	WINWORD.EXE
4860	WINWORD.EXE
4860	WINWORD.EXE
4860	WINWORD.EXE
4860	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8af93bed967925b3e5a70d0ad90eae1f13bc6e362ae3dac705e984f8697aaaad.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3F3C4A9C.emf

Filesize
52B

MD5
912ff26ac760112b12167f902f17ecfd

SHA1
ac2d2544f0607a40d2255a04aede580ac91f4673

SHA256
1833637d2bb49186e0667ae0896ecc4d5b00b3383529f74edb75cad8748cd9b3

SHA512
e837e4ee45800980d4001a80988224641538fd2f26a18bb5e9a68ebbea7a97f47aacc5b81fe9105931cda6dd2a721d5f7de880417560096c1e779eaf5c6d82f7

Download Submit
memory/4860-133-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-134-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-135-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-136-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-137-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-138-0x00007FFA51000000-0x00007FFA51010000-memory.dmp

Filesize
64KB

Download
memory/4860-139-0x00007FFA51000000-0x00007FFA51010000-memory.dmp

Filesize
64KB

Download
memory/4860-198-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-199-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-200-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download
memory/4860-201-0x00007FFA538B0000-0x00007FFA538C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads