d74e39811a50e6fec07b45cdd4fcb5237616ee6af5e0e834aa55bc98332d4c43

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bc8adfe0ffd0fccff2be1dda684beb.doc
Size

1.1MB
MD5

09bc8adfe0ffd0fccff2be1dda684beb
SHA1

e29f863614917427451331f6da1904eb2fa88ea3
SHA256

d74e39811a50e6fec07b45cdd4fcb5237616ee6af5e0e834aa55bc98332d4c43
SHA512

863f8a6c3006c414a856c2b989cf378f9633615391cb3ececa489c717a49b1b8a907371666ae58de42e618d049679ae447575c4f5bb93a453ac6b74f4d598025
SSDEEP

24576:c1Gjm3E180RVWTWrlGmKJWVlyiQo6E0tRpzAY:c1Ga3EL2MGmK2lDQtZn

Score

8^/10

macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp	office_macro_on_action

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1272 WINWORD.EXE
1272 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE
1272	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\09bc8adfe0ffd0fccff2be1dda684beb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp
Filesize
1.2MB

MD5
a739bfbae3db6a35bbc564f6b1fedaa6

SHA1
37eb037775cb9d2a35a29e0f76afef7c521563fd

SHA256
2caca704949905b59f1ecc31c9ad9a0d05a304f44a504b5eb882bb1bbd2ad4bc

SHA512
b320d8962826f191b9e3146ae78880c1fd4f1ccab76f8a5df3b278a505ae3b9c5a51f832667be54502a394e0d7deff8cf0306e1881a09364239fa55e2b5ad3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
Filesize
28KB

MD5
ab26a47e23d2bb2d656b056ef0daa7b4

SHA1
24d90630f6978316067a9e6db545d6a4d05ce854

SHA256
0983a92bddee7212043cc0af5d7ea5a1a1079212cf7da703d9aea3ac0954b604

SHA512
621419d15f5b167553f022dad5b97dfc73c744f9f754e880debf8b4f7238f3f91c22cccc4f7aa198214af75c64f52e3665a46c2e4db86361c6285fc7f4990311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0004.tmp
Filesize
27KB

MD5
02ef8c7ffdaf3d932a8f8fa1c3e13f8f

SHA1
1d6a303ad23b1272863ecba588a37d28685f65be

SHA256
f25c872d47e5dd4399e4a8aa8ddca09f3a89f345c5f2accafbf505b06d567b62

SHA512
c5c26fd6c92e2f7a69423eafcdf50d32b46326c9f5053f591fd229fb78ac1b0d645e61aa3b704566879b7790404868448264e2e834006abd56722a85d9f3b341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1272-136-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-138-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/1272-140-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmp

Filesize
64KB

Download
memory/1272-137-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-133-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-135-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-134-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-319-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-320-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-321-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download
memory/1272-322-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmp

Filesize
64KB

Download