88fab66e4eb810b964030070fc64d1f792984263d43a95e167d260f0a9345f2d

Resubmissions

29-03-2023 07:59

230329-jvd9eaha5s 8

29-03-2023 07:35

230329-jezkeagh8s 8

Analysis

max time kernel
139s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230220-ja
resource tags

arch:x64arch:x86image:win10-20230220-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
29-03-2023 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Size

200KB
MD5

69dd7fd355d79db0325816569ae2129a
SHA1

c08bf05db87896a15ac1913ac96bd47a35220225
SHA256

526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44
SHA512

0e1d6c6bb1fda6e81368ed6a8070c5a11f0684f7335eba5f940657581bb4d2bf51bf8c2b474a8916484763ec3af9d122fd5bcf65029e86081a1d71bfa7f963b8
SSDEEP

3072:538nFAJvcOGlU4wTBql1xnsAyt5OJEJp6y:FDBGWJIl1xsAa

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5080 WINWORD.EXE
5080 WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXE

pid	process
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE
5080	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5080-121-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmp

Filesize
64KB

Download
memory/5080-122-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmp

Filesize
64KB

Download
memory/5080-123-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmp

Filesize
64KB

Download
memory/5080-124-0x00007FF8822A0000-0x00007FF8822B0000-memory.dmp

Filesize
64KB

Download
memory/5080-127-0x00007FF87F010000-0x00007FF87F020000-memory.dmp

Filesize
64KB

Download
memory/5080-128-0x00007FF87F010000-0x00007FF87F020000-memory.dmp

Filesize
64KB

Download