Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10-1703_x64 -
resource
win10-20230220-ja -
resource tags
arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows -
submitted
29-03-2023 07:59
Behavioral task
behavioral1
Sample
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Resource
win10-20230220-ja
Behavioral task
behavioral2
Sample
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Resource
win7-20230220-ja
Behavioral task
behavioral3
Sample
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Resource
win10v2004-20230220-ja
General
-
Target
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
-
Size
200KB
-
MD5
69dd7fd355d79db0325816569ae2129a
-
SHA1
c08bf05db87896a15ac1913ac96bd47a35220225
-
SHA256
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44
-
SHA512
0e1d6c6bb1fda6e81368ed6a8070c5a11f0684f7335eba5f940657581bb4d2bf51bf8c2b474a8916484763ec3af9d122fd5bcf65029e86081a1d71bfa7f963b8
-
SSDEEP
3072:538nFAJvcOGlU4wTBql1xnsAyt5OJEJp6y:FDBGWJIl1xsAa
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5080 WINWORD.EXE 5080 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
WINWORD.EXEpid process 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE 5080 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5080-121-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmpFilesize
64KB
-
memory/5080-122-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmpFilesize
64KB
-
memory/5080-123-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmpFilesize
64KB
-
memory/5080-124-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmpFilesize
64KB
-
memory/5080-127-0x00007FF87F010000-0x00007FF87F020000-memory.dmpFilesize
64KB
-
memory/5080-128-0x00007FF87F010000-0x00007FF87F020000-memory.dmpFilesize
64KB