e2968a2027c0c139250ccd61c4b55df70a2fc6823f8ad7cc76605390c8c02048

Analysis

max time kernel
96s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1HC0019576_en NCR 02 - DXBHILLS - transversal installation unit.docm
Size

2.7MB
MD5

51aa75fff57f29b92782f67b129b2b97
SHA1

9f19f58c2744e7168895509b8122f5499f52108d
SHA256

e2968a2027c0c139250ccd61c4b55df70a2fc6823f8ad7cc76605390c8c02048
SHA512

836f288f5bd51fb920abe87326533667243841e2c80ad24baf4a065f42044d8765f924c07fcf4c5f2029be43e99d79b44a70c45f78c86553cf3a0d339fd10559
SSDEEP

49152:fPRUx7vTlkv760sQyBYXfDJ2cJyBrbQvF1h3ndD4haQ6x9KCRtDH4yAOEhzK2g:3Rk7Z060n2IoBrUdbBkAKCzxA57g

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

564 WINWORD.EXE
564 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

564 WINWORD.EXE
564 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE
564 WINWORD.EXE

pid	process
564	WINWORD.EXE
564	WINWORD.EXE

pid	process
564	WINWORD.EXE
564	WINWORD.EXE

pid	process
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE
564	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 564 wrote to memory of 3708	564	WINWORD.EXE	splwow64.exe
PID 564 wrote to memory of 3708	564	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1HC0019576_en NCR 02 - DXBHILLS - transversal installation unit.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1C170423.wmf
Filesize
470B

MD5
70bb1e10586a3da9dd73cb1f5a953c34

SHA1
c9568e9bc8a1fef4ec404bd8ab0005156b0ba7b3

SHA256
f80b00b66887290bf4b32f4f0427f2813a971cfea8b5aaba2b33abd688318f66

SHA512
a184a6b23cc19120ecb7193faa8161a2718a4a215c5ee92dd2296e9c61ae535aa900843caa42c6a33f89ca065c830ce10528c95233a6802cb546c39a912980c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C27C8.wmf
Filesize
470B

MD5
df865ad7cbb3109677dafb648bc03e98

SHA1
2c246a739f3b051372a6e00ae4eda8fdc869247a

SHA256
24947bbf0034e4d7b2abea5302583c4ae5a846afd8b4b5f7e1ee346213beee16

SHA512
b098b0295f2cfe1c8d4bae075c0c85159360a48838c2d8160936e489fe445a45f9a7a219e273abacaab5a3f84abfdf63b09285b08364a6568128f1a07a69b13f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\45755B1.wmf
Filesize
850B

MD5
a0b1a608b2da6aaf3e4ca832dfcc7c26

SHA1
a5cd01c8216d323134543596c8181e68cfb38710

SHA256
413e5853a5774d4c48af6a8ecc623995f4774ad16a63aab9ae3d1e74b8716230

SHA512
738557d09671b4f50caa902bb29ee73350aabecd377414b0e83b5b4591620825c0853d07d614d73abdfc22bad4bb2b72d400e4a91147ebb1bd4bab89dbeffb86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\62DCDFFE.wmf
Filesize
924B

MD5
19c7a1b8b3430caae41df89c35af908e

SHA1
7cc8c274941d1bd49c96c48e8155b553500e03ee

SHA256
a20e241c384e52d71c64d3cc0e511b63402a19f70942baadc09831c6034a7e13

SHA512
08a16e761f34e68c808f00b15ebf36f779d44e9e98b1daf888f4ca0fe615923b45b86ee2fea7455bd7f7d65948e4b4e17f08f7982d2fb0e10d1e0ea18e4eb071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\71DB8916.wmf
Filesize
902B

MD5
ca3fce8f6f476e582d8248a7d16fe1b2

SHA1
cb4de00beb4b5900e9f7a39598cea8e773c1cff8

SHA256
87f0e8892e4ee1208d2f20d6bcc7d132c2a0cb098eff1339cf6c2b3d9dd79bf6

SHA512
faed3b451f2464b83f26ef2f67e7e722c752dd913f2d88bd785165bba5c763e039195b758b048cb9abbbf8f50b83130e2ebbe68a074fda4a2c49168b4846ee5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\75F88CBC.wmf
Filesize
900B

MD5
2eb438d42065176c0915edfbfad6bfb8

SHA1
4d1df6796eb6bbceb4bf9d4f3da21d31fb9bff37

SHA256
5e46b700536d2566770e102ad8cef777c28daa41fadce8efecff7520c0163afe

SHA512
ad8db763cae20139f58d271a81c9cdb97a2cf43f1fc684c19753c80e14a46c2650922cb0d76152f70f496d3d121b75b2fc449c3e16355c3d1d848f089b9b4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C40E0D8D.wmf
Filesize
908B

MD5
c2f95fbbcba3dc457c028e3a2f06dc5c

SHA1
a461459b0b68226c7e8dc0066c5c9b105b341b4d

SHA256
05c367737a6c250991fe21de578cc8f32383a0e1474df7a86fd0ee4587ce1a7a

SHA512
b2139c4efabd9cb7a7841b4f935209faf3e67ee0ae7ae5a65cbe95c968636dee7ce25054b583e81378cc08ce32b627024ccfe9f881a0fd50c41164708c25bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DD6FB529.wmf
Filesize
470B

MD5
d5d3c8c8d7e844dfe8baec1d9804550e

SHA1
c192d572b36b31883379d7167e0a8938b9daf8bc

SHA256
383b14a7b4ede83c5d4dbeb80c3feebcd4148759efefd4a5a9b5f3e9690b86ea

SHA512
82cbe520fb46ea08e103a1fdaa85077db1162d853692324ef67c6069d3294e447d978644e61cb21c32ddbe9fc99ea76ef1e637f706738334562275ae9613bfd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E0E1DE2A.wmf
Filesize
926B

MD5
17829f46c171befac896e5d42dfa3bd2

SHA1
0d722fa5fa33009d0fe76f0d33b0d96c870c777a

SHA256
556a850e9a4c32e00dcad5ba63a9fc78b708a67927b8d80c6a0519e48daa0271

SHA512
75a3246f4cb99867dd460f726a3b76f0f5558bd493bd7ccb372073349203da199637a49ddc5a9bd6fae10ff1c3e8dbcadc7f0b5d223e75e9471eb62298741e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E64493E7.wmf
Filesize
946B

MD5
2b8289f69c5c83f0d702656b3ef7d94d

SHA1
be61b1703f1ff4980998cd38c47241b77f426af0

SHA256
a0bd60b227a0f706d374df2b051e7bf70d0c90c007535de751b34923ec641e5c

SHA512
de9abd2f7cd0860f478b7b0ae4e48ba967328b47734cbec228f408cb93424311b645caa4852de2a549abe0ee279b1384cdb4b70d178d46a60422666fa6a7e44f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F6A97070.wmf
Filesize
898B

MD5
2886b0d73cf25e1e1122be9874f59db1

SHA1
2c5dabe9e6c5b1db04bdaaa50a62aaa613a60599

SHA256
3bdc7583c62700f4215829eb511b67f03d09f66d4f584dcaae351b61184c0658

SHA512
8b4bb5ccd063afe8b6dbb0b8ef6517926d8ee8c9ba2c9e274179635b452ca8955f2090c1fd2dbd03fe8392aad694152b2ac4e35b8a9482617de57799290ef3c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/564-133-0x00007FFFF7E21000-0x00007FFFF7E22000-memory.dmp

Filesize
4KB

Download
memory/564-139-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/564-138-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/564-140-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/564-137-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/564-136-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/564-135-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/564-134-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/564-204-0x000001F405820000-0x000001F405A20000-memory.dmp

Filesize
2.0MB

Download
memory/564-315-0x000001F405820000-0x000001F405A20000-memory.dmp

Filesize
2.0MB

Download