Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 08:53
Static task
static1
Behavioral task
behavioral1
Sample
09bc8adfe0ffd0fccff2be1dda684beb.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
09bc8adfe0ffd0fccff2be1dda684beb.doc
Resource
win10v2004-20230220-en
General
-
Target
09bc8adfe0ffd0fccff2be1dda684beb.doc
-
Size
1.1MB
-
MD5
09bc8adfe0ffd0fccff2be1dda684beb
-
SHA1
e29f863614917427451331f6da1904eb2fa88ea3
-
SHA256
d74e39811a50e6fec07b45cdd4fcb5237616ee6af5e0e834aa55bc98332d4c43
-
SHA512
863f8a6c3006c414a856c2b989cf378f9633615391cb3ececa489c717a49b1b8a907371666ae58de42e618d049679ae447575c4f5bb93a453ac6b74f4d598025
-
SSDEEP
24576:c1Gjm3E180RVWTWrlGmKJWVlyiQo6E0tRpzAY:c1Ga3EL2MGmK2lDQtZn
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp office_macro_on_action -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1272 WINWORD.EXE 1272 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\09bc8adfe0ffd0fccff2be1dda684beb.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmpFilesize
1.2MB
MD5a739bfbae3db6a35bbc564f6b1fedaa6
SHA137eb037775cb9d2a35a29e0f76afef7c521563fd
SHA2562caca704949905b59f1ecc31c9ad9a0d05a304f44a504b5eb882bb1bbd2ad4bc
SHA512b320d8962826f191b9e3146ae78880c1fd4f1ccab76f8a5df3b278a505ae3b9c5a51f832667be54502a394e0d7deff8cf0306e1881a09364239fa55e2b5ad3d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmpFilesize
28KB
MD5ab26a47e23d2bb2d656b056ef0daa7b4
SHA124d90630f6978316067a9e6db545d6a4d05ce854
SHA2560983a92bddee7212043cc0af5d7ea5a1a1079212cf7da703d9aea3ac0954b604
SHA512621419d15f5b167553f022dad5b97dfc73c744f9f754e880debf8b4f7238f3f91c22cccc4f7aa198214af75c64f52e3665a46c2e4db86361c6285fc7f4990311
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0004.tmpFilesize
27KB
MD502ef8c7ffdaf3d932a8f8fa1c3e13f8f
SHA11d6a303ad23b1272863ecba588a37d28685f65be
SHA256f25c872d47e5dd4399e4a8aa8ddca09f3a89f345c5f2accafbf505b06d567b62
SHA512c5c26fd6c92e2f7a69423eafcdf50d32b46326c9f5053f591fd229fb78ac1b0d645e61aa3b704566879b7790404868448264e2e834006abd56722a85d9f3b341
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/1272-136-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-138-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmpFilesize
64KB
-
memory/1272-140-0x00007FF8E8190000-0x00007FF8E81A0000-memory.dmpFilesize
64KB
-
memory/1272-137-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-133-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-135-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-134-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-319-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-320-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-321-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB
-
memory/1272-322-0x00007FF8EA3B0000-0x00007FF8EA3C0000-memory.dmpFilesize
64KB