360e739562353633bb735f2a4cfe5967e893599d910089aea319d4528ec9c853

Analysis

max time kernel
148s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d5ccb296d91cebe59ce6d5e86ddc9b.doc
Size

71KB
MD5

24d5ccb296d91cebe59ce6d5e86ddc9b
SHA1

babc81f66a331f702dbcad50ef0c67f74aea295d
SHA256

360e739562353633bb735f2a4cfe5967e893599d910089aea319d4528ec9c853
SHA512

f6cbe7283988e2a9002a7bc3fd4c8c932478488924f16536fae05973657c88af17a91c9148ae64105c6431819d483c0755ce4975d191fde3a6e6ba3e97a98ad4
SSDEEP

384:xQDvTPAEFCWWWWWWWExByGcSxwAjLROJ/+rHhH8YBjN7sM90kteX0jSPtGUOEM:xQDv7Vux3fnx4pkWF8

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2716 WINWORD.EXE
2716 WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE
2716	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\24d5ccb296d91cebe59ce6d5e86ddc9b.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
Filesize
24KB

MD5
2ebca54217b2e957a6aa01344c42043a

SHA1
4a096d2f003ad19e7c8d732942785e9243c3b01d

SHA256
c874b4b8929445120a4a90db5ad0a640a9d69bf1afa7656d12e1b0f282f9b2ae

SHA512
db21c8b9928a28c07cb8d138b6e91bc57df17db337aa8507723e503661fdbb320dc6a67cec30998039f8a60500a9da5bf3a123fe35ff725889367f883c3fcb7e

Download Submit
C:\VB2C33.tmp
Filesize
2KB

MD5
5f43e290d93acc468630b95db155d639

SHA1
0ff150e4d70f35e8611e4eac263766ea381cd815

SHA256
c927b679b0814ffb38976e6920250905a49775e77be1e82413ce9005997e62f2

SHA512
be4f531e7feb9d63eb4872c08d4ee3441b38b23f07212ed2f3c18647c255bf825cbb6e1a23e6cb6c5c7f4b100c81f1d1c6d4b3be9dde0dccf222224b002177a6

Download Submit
C:\temp.tmp
Filesize
2KB

MD5
a88ac52b33911c3c0bcb6a942e714ddf

SHA1
0dcd851a8c5ba06dd87b29ba3361c14b57b40294

SHA256
bb625b292a9231e424869566ca93ea191bed5a08e83fb5a28706ca03a5b8a526

SHA512
10fd747767f276d15d7a7c6700adf127bf4eb15cef7a3cdd59a947fd6b94c614c40266412372f964a684579292f55c5270753e73bc2b1f3cf5f35a6d3f19a092

Download Submit
C:\temp.tmp
Filesize
225B

MD5
519755378e58a854e2bd4652f7195193

SHA1
eca94844a06772a58cafa8bb4fccb054cdb450c0

SHA256
b5aa96f3f7930aced20f57e7f4fe5957e37be0f504fb2f49606f80b19e79bf20

SHA512
b1e3a0dc5562e558bb8542c4f9288ce4493ddc9c5c533fff9a07e008a6acef0fbacfc03d867d5ff54fb602e9f3148fa073bb93a1ca386ea42f88b063f0726d52

Download Submit
memory/2716-136-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-138-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/2716-140-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/2716-137-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-133-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-135-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-134-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-369-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-371-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-370-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/2716-372-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download