01995646493aefd8cb4924d260b65eae12d2376ceaa212b744202555e785ad9e

Analysis

max time kernel
103s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a69c1b43ed2931d02a7f1785b0818a2f.dotm
Size

23KB
MD5

a69c1b43ed2931d02a7f1785b0818a2f
SHA1

8c22f9d345bd25c77c95acaa55e46117ef76b7f6
SHA256

01995646493aefd8cb4924d260b65eae12d2376ceaa212b744202555e785ad9e
SHA512

7b249c6d595e56003570c6b064ef26195482282ba6e56d1f65220bbe0205013f85c29427fdf60bf4f6a252dd1deefd563a2936a396d73f09158787b4743f5ac4
SSDEEP

384:C6LZC78ttHQ7sqCWtVFaaWGoB1uGaVQF9p0lhS0wCzLizefxY4W7Y:Bq8ttjvWtba2oaQvp0lhS0DzLwefxY0

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

684 WINWORD.EXE
684 WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE
684	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a69c1b43ed2931d02a7f1785b0818a2f.dotm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
Filesize
23KB

MD5
a56584a2b93857826a3d4cd0eb25d176

SHA1
ac32cca353b3049444dbe7a231fc2c24369db5bb

SHA256
fca28f2d01aea37a99b77b887c99ae6b9e7d0da0d01eec8c5783887d6ef880bf

SHA512
213863b25dc3ae74071cbeba01f90a0c87b4b6716011d81ff9722c8fee1353a9a45c0db6e1478bfaab8216c37b07f94ee62f63aa46b5347e01f95bab03cd63da

Download Submit
C:\temp.tmp
Filesize
2KB

MD5
05b3d2c64f145c0e2438c84c793b31b0

SHA1
6aac20d4a2f53e9c8a0f645ce0678e37873bcc01

SHA256
223796b180da68d58816744f241ff1db184f4a165ec0ac62130ff7c8a1783739

SHA512
a90d3fa228b22ef3f84484652118c06f90c9fd10733e361cf2b5d197b1e4bd269139e3cbea457dc339791c117be43d20edb0bb72f54244b4a337b29021607138

Download Submit
C:\temp.tmp
Filesize
225B

MD5
519755378e58a854e2bd4652f7195193

SHA1
eca94844a06772a58cafa8bb4fccb054cdb450c0

SHA256
b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

SHA512
b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

Download Submit
C:\temp.tmp
Filesize
2KB

MD5
e5c52a67aa79223240fc7c4d2c1e9fd4

SHA1
719e66f7fe3459bd97123779f45110178500a229

SHA256
0cff90f344b2b723cf821a0a25a38a4a65f748b51089ca6f4eca3c389cd4e007

SHA512
462ffecad96c77dcd998bf6fed8f9d766f4ca6514e443154df85cae6ce663a16ae982d3a75fc67a4b6ccaf02e5e384adcd40635fa5caa2a9d476709287232183

Download Submit
memory/684-136-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-138-0x00007FFD66D00000-0x00007FFD66D10000-memory.dmp

Filesize
64KB

Download
memory/684-139-0x00007FFD66D00000-0x00007FFD66D10000-memory.dmp

Filesize
64KB

Download
memory/684-137-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-133-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-134-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-135-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-271-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-272-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-273-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download
memory/684-274-0x00007FFD68E90000-0x00007FFD68EA0000-memory.dmp

Filesize
64KB

Download