Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 08:25
Behavioral task
behavioral1
Sample
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
Resource
win10v2004-20230220-en
General
-
Target
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc
-
Size
200KB
-
MD5
69dd7fd355d79db0325816569ae2129a
-
SHA1
c08bf05db87896a15ac1913ac96bd47a35220225
-
SHA256
526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44
-
SHA512
0e1d6c6bb1fda6e81368ed6a8070c5a11f0684f7335eba5f940657581bb4d2bf51bf8c2b474a8916484763ec3af9d122fd5bcf65029e86081a1d71bfa7f963b8
-
SSDEEP
3072:538nFAJvcOGlU4wTBql1xnsAyt5OJEJp6y:FDBGWJIl1xsAa
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2092 WINWORD.EXE 2092 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE 2092 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\526f48c6b3b767c119282e362eeb39238ac3593f7b3742eb08e67cd93d913a44.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2092-133-0x00007FFCBBC70000-0x00007FFCBBC80000-memory.dmpFilesize
64KB
-
memory/2092-134-0x00007FFCBBC70000-0x00007FFCBBC80000-memory.dmpFilesize
64KB
-
memory/2092-135-0x00007FFCBBC70000-0x00007FFCBBC80000-memory.dmpFilesize
64KB
-
memory/2092-136-0x00007FFCBBC70000-0x00007FFCBBC80000-memory.dmpFilesize
64KB
-
memory/2092-137-0x00007FFCBBC70000-0x00007FFCBBC80000-memory.dmpFilesize
64KB
-
memory/2092-138-0x00007FFCB9AE0000-0x00007FFCB9AF0000-memory.dmpFilesize
64KB
-
memory/2092-139-0x00007FFCB9AE0000-0x00007FFCB9AF0000-memory.dmpFilesize
64KB