6b11c7e042bf65c285ab4cad923935d6c0a08a42ff48744c370fc444cce7a7cd

Analysis

max time kernel
101s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s3-sa-east-1.amazonaws.com_tcm-assets_fraport-fortaleza-ptbr_files_assignees_credenciamento_formul_c.docm
Size

68KB
MD5

5e7658785aff7fdae8eb078c9e50e453
SHA1

d181b06c45d19430ad482244edd8892b16bfc381
SHA256

6b11c7e042bf65c285ab4cad923935d6c0a08a42ff48744c370fc444cce7a7cd
SHA512

8508ea831c75a88d2a215aa0fc863fa317eee1674b6e16f131fe37f43c0cb422ba3568b897531164c33628b14ccc9ebf7bcd9a0361673e521162cddec22a6125
SSDEEP

1536:lOyTHB3cmHJPM2auV2/DTdzqbbNNQQ/RDa9:k4pMm2m1ndM

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1384 WINWORD.EXE
1384 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1384 WINWORD.EXE
1384 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE
1384	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1384 wrote to memory of 216	1384	WINWORD.EXE	splwow64.exe
PID 1384 wrote to memory of 216	1384	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\s3-sa-east-1.amazonaws.com_tcm-assets_fraport-fortaleza-ptbr_files_assignees_credenciamento_formul_c.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\503E0495.wmf
Filesize
642B

MD5
4cfa5bc2c44c4ed09e6b0cfd16753ab7

SHA1
d30c27726689dd6a3dccdce5f35e2ceccf2cc029

SHA256
87fd96b3e4276772b1c026b116bfab1ab621a0717a4b696b3034b2031a0644dc

SHA512
edf1723cae62f933216b17bed4a93403700ba85eeb2eefe786d6192d3cdcf3bfe82d70951bfab3bbf1b1a9e91e2e368041953ac2e826df16a46c0e84926a48c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\52F06FAF.wmf
Filesize
642B

MD5
4f03b86e4d6631c26ff5fffc7332be1d

SHA1
14952a78ea51df67d5b5b6c6b4de3d96ba7935bd

SHA256
83f4ea26254d69825486bffd1d400217aac7245c5c48fe5acc3ccdea173c4851

SHA512
4bed29b66444d826e89589b55dd786758ff68fcd2daf8296703d4443edb991fffce563e20db22bfb34fdb488638bbb43252392b6c105d12e721329adc2774632

Download Submit
memory/1384-137-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-134-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-138-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-139-0x00007FF88C790000-0x00007FF88C7A0000-memory.dmp

Filesize
64KB

Download
memory/1384-140-0x00007FF88C790000-0x00007FF88C7A0000-memory.dmp

Filesize
64KB

Download
memory/1384-136-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-159-0x000002911A360000-0x000002911A560000-memory.dmp

Filesize
2.0MB

Download
memory/1384-135-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-177-0x000002911A360000-0x000002911A560000-memory.dmp

Filesize
2.0MB

Download
memory/1384-209-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-210-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-211-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download
memory/1384-212-0x00007FF88ECB0000-0x00007FF88ECC0000-memory.dmp

Filesize
64KB

Download