ed0650eb9d5784d336f42400bbf9da079f4e099401c090fda7dfdc89ed6764ef

Analysis

max time kernel
154s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc
Size

1.1MB
MD5

29835ed466ccc13d014f563c7d750db5
SHA1

617b2671bf18760b44b88ddbf986fa5f3689810b
SHA256

ed0650eb9d5784d336f42400bbf9da079f4e099401c090fda7dfdc89ed6764ef
SHA512

dd69a17eecc0c5c46ed00195e41e0112880e9d6ee0bad36a400de0dbc406430c28b4f96a0c236b5b557a5f259066d5642c773c5d2c8f6ec78290920cda2b9434
SSDEEP

24576:aSYuchKJeclat5QJOjyMzj8qDACPnRGkhDNwSMv7gWVGhWAcgo:kuchyatmcjyej8IAyG0WSMv7gqGhW

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

628 WINWORD.EXE
628 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

628 WINWORD.EXE
628 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

628 WINWORD.EXE
628 WINWORD.EXE
628 WINWORD.EXE
628 WINWORD.EXE
628 WINWORD.EXE
628 WINWORD.EXE
628 WINWORD.EXE

pid	process
628	WINWORD.EXE
628	WINWORD.EXE

pid	process
628	WINWORD.EXE
628	WINWORD.EXE

pid	process
628	WINWORD.EXE
628	WINWORD.EXE
628	WINWORD.EXE
628	WINWORD.EXE
628	WINWORD.EXE
628	WINWORD.EXE
628	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 628 wrote to memory of 1128	628	WINWORD.EXE	splwow64.exe
PID 628 wrote to memory of 1128	628	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.not-a-virus.HEUR.Downloader.MSOffice.Alien.gen.18914.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F107A96.wmf
Filesize
370B

MD5
783e2615c483426f3e4a568023b98aa2

SHA1
d810ad2c097e4c6b5daf4ed4322fecca53bd948d

SHA256
c6df986c5d35a96db45b859e38edaa41af50fb4493ded149af9a6f1709a53ba4

SHA512
1e49672ec6a2fe01693475433d567b238a394495d0d4d8deb7cbc91f71bc3d733e66671d8cf7bf0b9d8a771f01819b26cb46fa53a0d5ecc961a0c21ff6a02abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F4D54FA3.wmf
Filesize
598B

MD5
6d90c5628569450dc11cc7df64bd800b

SHA1
5c552d55d712accaafc04e2cfdb69149556e5124

SHA256
c9454bd5ce61590cbb2bc0490200a498b979dda072707e92a583e8114e5fe227

SHA512
1488af672bdf4898b697ac0a0f409f45e090f50e3194ca8d048c94d2a784c8735309dd7abd3e2cd056a185fe38badf31521c885a5cb5e358375fc0b5c2bb1405

Download Submit
memory/628-136-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-133-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-137-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-138-0x00007FFC738E0000-0x00007FFC738F0000-memory.dmp

Filesize
64KB

Download
memory/628-139-0x00007FFC738E0000-0x00007FFC738F0000-memory.dmp

Filesize
64KB

Download
memory/628-148-0x0000020CEA240000-0x0000020CEA440000-memory.dmp

Filesize
2.0MB

Download
memory/628-134-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-135-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-177-0x0000020CEA240000-0x0000020CEA440000-memory.dmp

Filesize
2.0MB

Download
memory/628-230-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-231-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-232-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download
memory/628-233-0x00007FFC76130000-0x00007FFC76140000-memory.dmp

Filesize
64KB

Download