Analysis
-
max time kernel
137s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 08:33
Behavioral task
behavioral1
Sample
cb0dedfe45e2815974984b5e2ac6cdfd9d63bcc707ff1ed5ad95c919497b5efb.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cb0dedfe45e2815974984b5e2ac6cdfd9d63bcc707ff1ed5ad95c919497b5efb.doc
Resource
win10v2004-20230221-en
General
-
Target
cb0dedfe45e2815974984b5e2ac6cdfd9d63bcc707ff1ed5ad95c919497b5efb.doc
-
Size
129KB
-
MD5
a0f20cd73ab21c559431425a99543a1c
-
SHA1
c5dea3856583e6e7f83ee8f32e20519ad9c3c4fe
-
SHA256
cb0dedfe45e2815974984b5e2ac6cdfd9d63bcc707ff1ed5ad95c919497b5efb
-
SHA512
4843065ef09267e92f5d2bd87816f5841647d13396d0e38614827dc2ac2112244a4e5a180afe3be8c9aac1f8f40343ee7df8f8682bf8c4473d0e918535e568d9
-
SSDEEP
1536:AVPBtmkSU1mSYYe0Mpd/Opmh95ikkO4MrYIE47RYQZt14nziknsLkEg:AdT5YYexh9ok2bIL7RNz15g
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4632 WINWORD.EXE 4632 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 4632 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
WINWORD.EXEpid process 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cb0dedfe45e2815974984b5e2ac6cdfd9d63bcc707ff1ed5ad95c919497b5efb.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8923DCE3.wmfFilesize
3KB
MD55db260e97001066662d4c4592c9998ac
SHA1bdd1c0a9d3347f0e7da656903e04267913111c04
SHA2566a1226ee997663eea02265187ad1081f931b36fa87452a04c810587ac9f56410
SHA5120b947a75bc46e9f630845076c8170eb492e6195de2d332eda6298e2a7aa7fe811aff4d38d368a61b5711277ee03e3404faf6fb86dffbf7bbb6ad0b3ca2f40fc9
-
memory/4632-133-0x00007FFD03090000-0x00007FFD030A0000-memory.dmpFilesize
64KB
-
memory/4632-134-0x00007FFD03090000-0x00007FFD030A0000-memory.dmpFilesize
64KB
-
memory/4632-135-0x00007FFD03090000-0x00007FFD030A0000-memory.dmpFilesize
64KB
-
memory/4632-136-0x00007FFD03090000-0x00007FFD030A0000-memory.dmpFilesize
64KB
-
memory/4632-137-0x00007FFD03090000-0x00007FFD030A0000-memory.dmpFilesize
64KB
-
memory/4632-138-0x00007FFD01030000-0x00007FFD01040000-memory.dmpFilesize
64KB
-
memory/4632-139-0x00007FFD01030000-0x00007FFD01040000-memory.dmpFilesize
64KB