Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20230220-ja -
resource tags
arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
15-03-2023 06:25
Behavioral task
behavioral1
Sample
2023-03-08_1026.doc
Resource
win10-20230220-ja
5 signatures
150 seconds
General
-
Target
2023-03-08_1026.doc
-
Size
506.3MB
-
MD5
0ba669a2667d28ea6f61262ecdfd34e0
-
SHA1
3e939d4cd1c0844de6c7ca9a8471858ddb1cfc8a
-
SHA256
5d16d4ce034ee7b7911e9acb53f1e75bff1940476dc1ec4b56f2a6d978da9cd0
-
SHA512
b2c8bfa9e79e003506869187580e80806ba8e87364c250c7b2f5c3cdafc0077bd048604af42e92fa2c1186451f963ca08d0aa16bfe8143cd0fc6b54a3d7ca48a
-
SSDEEP
6144:xPn4VZXbatu7MDogsDkHS50LdfcGcbz1f5M9KTFrMpSlMK3Ru+Q28:xP4PbNMkgg3Ru+x
Score
1/10
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4372 WINWORD.EXE 4372 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE 4372 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023-03-08_1026.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\IME\SHARED\imebroker.exeC:\Windows\System32\IME\SHARED\imebroker.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4372-119-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmpFilesize
64KB
-
memory/4372-120-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmpFilesize
64KB
-
memory/4372-121-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmpFilesize
64KB
-
memory/4372-122-0x00007FFD114A0000-0x00007FFD114B0000-memory.dmpFilesize
64KB
-
memory/4372-125-0x00007FFD0E5C0000-0x00007FFD0E5D0000-memory.dmpFilesize
64KB
-
memory/4372-126-0x00007FFD0E5C0000-0x00007FFD0E5D0000-memory.dmpFilesize
64KB