Analysis
-
max time kernel
154s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 23:40
Behavioral task
behavioral1
Sample
SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc
Resource
win10v2004-20230220-en
General
-
Target
SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc
-
Size
1.1MB
-
MD5
29835ed466ccc13d014f563c7d750db5
-
SHA1
617b2671bf18760b44b88ddbf986fa5f3689810b
-
SHA256
ed0650eb9d5784d336f42400bbf9da079f4e099401c090fda7dfdc89ed6764ef
-
SHA512
dd69a17eecc0c5c46ed00195e41e0112880e9d6ee0bad36a400de0dbc406430c28b4f96a0c236b5b557a5f259066d5642c773c5d2c8f6ec78290920cda2b9434
-
SSDEEP
24576:aSYuchKJeclat5QJOjyMzj8qDACPnRGkhDNwSMv7gWVGhWAcgo:kuchyatmcjyej8IAyG0WSMv7gqGhW
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 628 WINWORD.EXE 628 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 628 WINWORD.EXE 628 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 628 WINWORD.EXE 628 WINWORD.EXE 628 WINWORD.EXE 628 WINWORD.EXE 628 WINWORD.EXE 628 WINWORD.EXE 628 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 628 wrote to memory of 1128 628 WINWORD.EXE splwow64.exe PID 628 wrote to memory of 1128 628 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F107A96.wmfFilesize
370B
MD5783e2615c483426f3e4a568023b98aa2
SHA1d810ad2c097e4c6b5daf4ed4322fecca53bd948d
SHA256c6df986c5d35a96db45b859e38edaa41af50fb4493ded149af9a6f1709a53ba4
SHA5121e49672ec6a2fe01693475433d567b238a394495d0d4d8deb7cbc91f71bc3d733e66671d8cf7bf0b9d8a771f01819b26cb46fa53a0d5ecc961a0c21ff6a02abf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F4D54FA3.wmfFilesize
598B
MD56d90c5628569450dc11cc7df64bd800b
SHA15c552d55d712accaafc04e2cfdb69149556e5124
SHA256c9454bd5ce61590cbb2bc0490200a498b979dda072707e92a583e8114e5fe227
SHA5121488af672bdf4898b697ac0a0f409f45e090f50e3194ca8d048c94d2a784c8735309dd7abd3e2cd056a185fe38badf31521c885a5cb5e358375fc0b5c2bb1405
-
memory/628-136-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-133-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-137-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-138-0x00007FFC738E0000-0x00007FFC738F0000-memory.dmpFilesize
64KB
-
memory/628-139-0x00007FFC738E0000-0x00007FFC738F0000-memory.dmpFilesize
64KB
-
memory/628-148-0x0000020CEA240000-0x0000020CEA440000-memory.dmpFilesize
2.0MB
-
memory/628-134-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-135-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-177-0x0000020CEA240000-0x0000020CEA440000-memory.dmpFilesize
2.0MB
-
memory/628-230-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-231-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-232-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB
-
memory/628-233-0x00007FFC76130000-0x00007FFC76140000-memory.dmpFilesize
64KB