Analysis
-
max time kernel
101s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 22:46
Behavioral task
behavioral1
Sample
static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc
Resource
win10v2004-20230220-en
General
-
Target
static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc
-
Size
43KB
-
MD5
8311b9a9b1e95f909c18f3dabde85bdf
-
SHA1
4fff32ca0977f640ee30141cc0aa0dceebf16e3a
-
SHA256
6eba626c90591ad1975900edf0553731f619c4f60ed635a0d81a354443fa2935
-
SHA512
4cc484e8b5e11cc58218cea354495e9c96b04fea9883cc9a3eadd52792ab4301d9a5fa7396965975c7c7ffe436198f7a933c5ad7111ff18283e0c2a8d5153231
-
SSDEEP
384:6p1bR/DiMzg6qh5fqrDm8sNkp3PCCCGsb3TSE0j2RtNEdRyGcS2rdj3:4t/DiMc5fqsNiCHb3Tvlpaur
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5064 WINWORD.EXE 5064 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 5064 WINWORD.EXE 5064 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 5064 WINWORD.EXE 5064 WINWORD.EXE 5064 WINWORD.EXE 5064 WINWORD.EXE 5064 WINWORD.EXE 5064 WINWORD.EXE 5064 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 5064 wrote to memory of 1836 5064 WINWORD.EXE splwow64.exe PID 5064 wrote to memory of 1836 5064 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\static.wpe.au.syrahost.com_var_m_b_be_be8_39900_367035-apricot_20_20ginger_20jam.doc_download.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\225A6AC3.wmfFilesize
508B
MD58119bb50d0fdebf8c68516af8801ae38
SHA1bb853b5f29cfca8b843f11125f94fcb08a19eda4
SHA25614e72e727d8f7a7b192a0dde9715c470c17b5c14534666f65faab03ccad7f17c
SHA5128b2c01943d37485ab66c9de998e5a645e884b9d0d2ffd33143d6905e1a71056b1b243b18b82e22d93e138aefe652e9ff8e008f4f2eea8ed0dda3ba75a992d33e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\314C8440.wmfFilesize
558B
MD517ae7341f470816b9dca70bc22ee59b2
SHA100338f4957099bdcef9295cdc235a934489db89f
SHA256cc51c00ce416aab87c51cdf39a17a258d4e9fc92d6066467b0eaa1519373d304
SHA5122f0ecccc437664edaf48d749f4733d3978cf672e294b0700babebaff895b30ef2dc21ab4b2143b7ca214a0214777c4d5440e88df060d415607f37632dfccb2e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B3C15B4.wmfFilesize
490B
MD5897ae1d30a6b875d032a2372db435446
SHA17096c3ba5384f3e97a688a0d8fcd970032b41e29
SHA256065ec64e4c3aa0e4b7615e7da1aff8c6cfe94e94b4633cfd34f7f0f29353e397
SHA512f182e49782594033a470c4342adad6e69bab8a5c0e3459744c5c339b079f047715c14ec63be41306cf71f13a49457bca09b996a1bcb2e71358bee7a30ebe681d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5CB88436.wmfFilesize
484B
MD59302d198d8344913f32de0a1a668c65e
SHA1a0f4dd5e860f1209a2a10fa40967f99aabb59972
SHA25686630debdb20fd6931ff33f0c9120b97e81b4e339ee3a88d7241d5e9e17c88d0
SHA5120974d7abaf9d98420aaf5cac446df740dece9f2ddd3663fb2dfa3cfa673f970cf2730ae6e041fd602106634fa9c856df6da824ece0334874649dffacee861268
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A06D74A.wmfFilesize
508B
MD5f4f6046ad40d94e18563009682bb5da1
SHA1f7e7713f01f50ee15510e865f91e9e95290594d5
SHA2569e75715bf36e29668f51664ef633f8c9620fbe7bd4aa9941b1befb9349b15e53
SHA5121a4fcffbf0ff5ff9fdf0aaecae2f3687fb709e275d53f72128e8f78d03c35d5f72bf6f890a265e3eb7675aab51969ec9fdb260d20c1495b1e1bd97b93ae0fb34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\76776C7B.wmfFilesize
558B
MD5c85f96b0048d0e8e4d85bc70a2785e0c
SHA1b5beefcbde14f344093406d290b47b9479346079
SHA25618a8a1c95cfdfee6f7a1e2f8e499c351f2983ddbddeadc82590795661f953dfd
SHA5124b5efae581598ff00d9dddd1049ee350aae18be88b9ffcc1fa6077cdfc68c96647bbf06cf86afc2f386f82c201dd9e9ea22aff9d0aed69fcd90d4c5d0e6d8a39
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BCFF4C9.wmfFilesize
484B
MD5d7bb7076edc6f543368f490d7abc57a3
SHA1a2275115ee21efe253334ca05e1e74e646302597
SHA2565488b8336b37d18538cddae0b89c49b8e1b1c71743a9168215b1c04dcfd34097
SHA512ddf41617fffabc750e852a9890d335ed69de8b30579daa2e5218d338aa2502a37fba30edf3b029e27e55b3893d035938bd1451f3f22f3b88f2e766c89d059147
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E146D225.wmfFilesize
490B
MD59e6902eff54e6f3ad6708f6eddfc3545
SHA1d7c4e0e4470e507f77b5b11d17fdbabe7bff5a54
SHA256f2c04532e82c4415e6be58dc37dd55864ccde56aa64b15d87ebceb11efdee78a
SHA51270323f75aa798ea07f1cc3e33ac11160fcb23a9f8d7a6228d5d22f7a485a19678aca5c418893a6d7f4e4186bb3be22057a2db3af9caa59b1d01448a3364c5cde
-
memory/5064-177-0x00000189442A0000-0x00000189444A0000-memory.dmpFilesize
2.0MB
-
memory/5064-137-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-133-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-136-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-138-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmpFilesize
64KB
-
memory/5064-139-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmpFilesize
64KB
-
memory/5064-135-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-134-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-201-0x00000189442A0000-0x00000189444A0000-memory.dmpFilesize
2.0MB
-
memory/5064-245-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-246-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-247-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5064-248-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB