12b408151f5a17a28ad5b6f78fb0bf34e8db78811789cceaea645c0cec6097e5

Analysis

max time kernel
112s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GESTION IMMOBILIERE.docx
Size

168KB
MD5

de098d3fd1e8c8dca1596dc308eb88ff
SHA1

00ff381209e7267f2de6f93bd55ccf2e9145c9d4
SHA256

12b408151f5a17a28ad5b6f78fb0bf34e8db78811789cceaea645c0cec6097e5
SHA512

48edd28f0ff5083ace992b7178f3e4bf36dd0030e023acb6e5f003f06350c97e1605af0d15b59850de4267851fcfc91498dd6d334d0c0b579e82bd6d9833345c
SSDEEP

3072:NboIChJ/OKO9XisrxVjYZyGRhRs/olZDfCUCO2aLChs+ePHy1ygv3ybB7uQje:Nb5Owys1VjYZyGRhRoirEOjG2+kHsjv5

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4392	WINWORD.EXE
4392	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE
4392	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\GESTION IMMOBILIERE.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\823B5EAC.jpeg

Filesize
12KB

MD5
638a6ee77f31d4af34abfaf2823ad479

SHA1
9f27aa5f6c2168d3b95dafe7447c957a88c728ea

SHA256
32fa4b8e521885d66b774ae0409d601bfc6a0f784dd2c563bba5691d0735447c

SHA512
3572b73138eff0a157b86d10081996a11059da4d6db27171483f5fab4c70c5b5c52dc1303143cd9fec033ae2ed2523888ff960b865f889b5e91a944a70c644be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryFR040c.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4392-139-0x00007FF995E50000-0x00007FF995E60000-memory.dmp

Filesize
64KB

Download
memory/4392-136-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-137-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-138-0x00007FF995E50000-0x00007FF995E60000-memory.dmp

Filesize
64KB

Download
memory/4392-133-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-135-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-134-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-187-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-188-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-189-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download
memory/4392-190-0x00007FF9987B0000-0x00007FF9987C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads