Analysis
-
max time kernel
1799s -
max time network
1795s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 15:02
Behavioral task
behavioral1
Sample
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
Resource
win10v2004-20230220-en
General
-
Target
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm
-
Size
35KB
-
MD5
c47bba8a8821ace4dec8e4a83bcf5d86
-
SHA1
7ca510812ddbfb4be6ce3506143e0ed9ac92c5e7
-
SHA256
e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e
-
SHA512
81d6ec5ff3610a1770b0f3030fbf6ac3438d8e58ab17092b94c4bdf0cb2466a2c200d4d8d6405364dbd127dc2ca04e7c3eb61d92a0b073d04e2b13b7939e3f23
-
SSDEEP
768:pIBkgj8RxAQkGbPcyqy81pTxllNBujX/2NW:Uj8RXkGwyRepTBOruE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rad5B1E1.tmp.exepid process 4824 rad5B1E1.tmp.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exe upx C:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exe upx behavioral2/memory/4824-223-0x00000000003D0000-0x00000000008E9000-memory.dmp upx -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2472 WINWORD.EXE 2472 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE 2472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2472 wrote to memory of 4824 2472 WINWORD.EXE rad5B1E1.tmp.exe PID 2472 wrote to memory of 4824 2472 WINWORD.EXE rad5B1E1.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e61ad1ca19a69d4c85b91d8b7b69cf08413fd78fd7df1c878a10a4c5b4497b9e.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exeC:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exe2⤵
- Executes dropped EXE
PID:4824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exeFilesize
1.8MB
MD515df6ef5f388e706ab46675c00185ae4
SHA162b0e6473f98470d25a16a2a2d96095570403670
SHA2561e27243ac8e2edff7d5be32a012530add1bae71ad5452064dfcd35e69d95f313
SHA51234578d2a61629ea8e14a8ae8dfa86c608f84b7928aa15535b1250270122439b46d173153b993178d3352d9f49eeff80ed3c0d9efef70acf149666ce9a68fb659
-
C:\Users\Admin\AppData\Local\Temp\rad5B1E1.tmp.exeFilesize
1.8MB
MD515df6ef5f388e706ab46675c00185ae4
SHA162b0e6473f98470d25a16a2a2d96095570403670
SHA2561e27243ac8e2edff7d5be32a012530add1bae71ad5452064dfcd35e69d95f313
SHA51234578d2a61629ea8e14a8ae8dfa86c608f84b7928aa15535b1250270122439b46d173153b993178d3352d9f49eeff80ed3c0d9efef70acf149666ce9a68fb659
-
memory/2472-140-0x00007FFB7B3D0000-0x00007FFB7B3E0000-memory.dmpFilesize
64KB
-
memory/2472-136-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-137-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-138-0x00007FFB7B3D0000-0x00007FFB7B3E0000-memory.dmpFilesize
64KB
-
memory/2472-133-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-135-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-134-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-257-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-258-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-259-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/2472-260-0x00007FFB7D650000-0x00007FFB7D660000-memory.dmpFilesize
64KB
-
memory/4824-223-0x00000000003D0000-0x00000000008E9000-memory.dmpFilesize
5.1MB