Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
22-03-2023 16:22
Behavioral task
behavioral1
Sample
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc
Resource
win10-20230220-en
General
-
Target
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc
-
Size
270KB
-
MD5
c8898ca0af2861682e1fb970ae4cdb7e
-
SHA1
d58c7c6a2a86b825ca042c6b1493ac60e1d85c89
-
SHA256
e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592
-
SHA512
471478f93a46c51693c6c81210f47b5d04508ee2028c812e6a258fb42d5c8dfc53b0754d64c33aa0e1c5481fdac4215439b3305240d53e7d910d023391e10edf
-
SSDEEP
3072:FKQlkhFVDQxhkDzo0qT5e/UDrpgIAww6MVikUiAageLXQcXhq7P3PfdyY:FK+k5DQPkPq5pRO6ezw7P9y
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3640 WINWORD.EXE 3640 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE 3640 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e054fee8e166f73b9213cbd2c4fb5b22ce158d7cc913878049ba3dbe70158592.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3640