Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 13:19
Behavioral task
behavioral1
Sample
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
Resource
win10v2004-20230221-en
General
-
Target
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
-
Size
35KB
-
MD5
c47bba8a8821ace4dec8e4a83bcf5d86
-
SHA1
7ca510812ddbfb4be6ce3506143e0ed9ac92c5e7
-
SHA256
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e
-
SHA512
81d6ec5ff3610a1770b0f3030fbf6ac3438d8e58ab17092b94c4bdf0cb2466a2c200d4d8d6405364dbd127dc2ca04e7c3eb61d92a0b073d04e2b13b7939e3f23
-
SSDEEP
768:pIBkgj8RxAQkGbPcyqy81pTxllNBujX/2NW:Uj8RXkGwyRepTBOruE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
radEC8F7.tmp.exepid process 2644 radEC8F7.tmp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exe upx C:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exe upx behavioral2/memory/2644-220-0x00000000006D0000-0x0000000000BE9000-memory.dmp upx -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 34 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2244 WINWORD.EXE 2244 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2244 wrote to memory of 2644 2244 WINWORD.EXE radEC8F7.tmp.exe PID 2244 wrote to memory of 2644 2244 WINWORD.EXE radEC8F7.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exeC:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exeFilesize
1.8MB
MD515df6ef5f388e706ab46675c00185ae4
SHA162b0e6473f98470d25a16a2a2d96095570403670
SHA2561e27243ac8e2edff7d5be32a012530add1bae71ad5452064dfcd35e69d95f313
SHA51234578d2a61629ea8e14a8ae8dfa86c608f84b7928aa15535b1250270122439b46d173153b993178d3352d9f49eeff80ed3c0d9efef70acf149666ce9a68fb659
-
C:\Users\Admin\AppData\Local\Temp\radEC8F7.tmp.exeFilesize
1.8MB
MD515df6ef5f388e706ab46675c00185ae4
SHA162b0e6473f98470d25a16a2a2d96095570403670
SHA2561e27243ac8e2edff7d5be32a012530add1bae71ad5452064dfcd35e69d95f313
SHA51234578d2a61629ea8e14a8ae8dfa86c608f84b7928aa15535b1250270122439b46d173153b993178d3352d9f49eeff80ed3c0d9efef70acf149666ce9a68fb659
-
memory/2244-139-0x00007FFA278C0000-0x00007FFA278D0000-memory.dmpFilesize
64KB
-
memory/2244-136-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-137-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-138-0x00007FFA278C0000-0x00007FFA278D0000-memory.dmpFilesize
64KB
-
memory/2244-133-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-134-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-135-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-257-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-258-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-259-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2244-260-0x00007FFA2A110000-0x00007FFA2A120000-memory.dmpFilesize
64KB
-
memory/2644-220-0x00000000006D0000-0x0000000000BE9000-memory.dmpFilesize
5.1MB