Analysis
-
max time kernel
17s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
21-03-2023 23:37
Behavioral task
behavioral1
Sample
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc
Resource
win10-20230220-en
General
-
Target
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc
-
Size
201KB
-
MD5
f0c64ca95b183fe9dd9a69631029ac13
-
SHA1
34547a5c6d7e9eb675b8e3fb810b36a0ed62213b
-
SHA256
a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9
-
SHA512
19b6419e698a19fd626ba24b7086467b7d262314ea410a99656aa45c7355311507f9625498b736db11100a4e898d723a8c27244987099e75a8c931510eea4355
-
SSDEEP
3072:tYAYyVlI23Etx/4DeJxD0QU+5c/18dJ95R3s14Mzgpq:qAXatZxh0QHg8dJ9r3dMzgQ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1688 WINWORD.EXE 1688 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE 1688 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a49ae9a2ac9ce330db6a2dd480c129fa7206392262e64d4433f2c7f35cda28a9.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-121-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-122-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-123-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-124-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-127-0x00007FFB63F00000-0x00007FFB63F10000-memory.dmpFilesize
64KB
-
memory/1688-128-0x00007FFB63F00000-0x00007FFB63F10000-memory.dmpFilesize
64KB
-
memory/1688-408-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-410-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-409-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB
-
memory/1688-407-0x00007FFB66CA0000-0x00007FFB66CB0000-memory.dmpFilesize
64KB