Analysis
-
max time kernel
113s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2023, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
fa106001a7cf2deb09192898ba82b50f.rtf
Resource
win7-20230220-en
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
fa106001a7cf2deb09192898ba82b50f.rtf
Resource
win10v2004-20230221-en
4 signatures
150 seconds
General
-
Target
fa106001a7cf2deb09192898ba82b50f.rtf
-
Size
25KB
-
MD5
fa106001a7cf2deb09192898ba82b50f
-
SHA1
d472611b9c4185f4dad80143c6c46cb3a3047779
-
SHA256
e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
-
SHA512
16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
-
SSDEEP
768:LEohQfFWWeZqbo8PC6uucJIOFMzGcAYl+CxjfbsredELLyxWlN:IoheWnIKIicYC16rLaWf
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1904 WINWORD.EXE 1904 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE 1904 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa106001a7cf2deb09192898ba82b50f.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1904