Analysis
-
max time kernel
101s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2023, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
www.tullverket.se_download_18.5c3d004415b89fa6ac788f_1496053726779_760.88_nedsattning_av_samlad_garanti_till_50__25.docm
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
www.tullverket.se_download_18.5c3d004415b89fa6ac788f_1496053726779_760.88_nedsattning_av_samlad_garanti_till_50__25.docm
Resource
win10v2004-20230220-en
General
-
Target
www.tullverket.se_download_18.5c3d004415b89fa6ac788f_1496053726779_760.88_nedsattning_av_samlad_garanti_till_50__25.docm
-
Size
34KB
-
MD5
615bd8ecc4545db40026cf1c961493d7
-
SHA1
d3df5dc0a16196f37a4fc59d50f73d585faaa0f7
-
SHA256
54598b11e7c4379e5351d4a7e6cea7b89faac6459a559f5d25c17f03eec22df3
-
SHA512
482f050d65c7068facdc3230d68c341b8bda2c06b9c3b9cbc99a117f8610a049fdee2962618300b02f284fc9e01e97f81db7a8472206f5e782e804e2cf0f3e85
-
SSDEEP
768:BSFvYzTfnAVBRaW3bo35wPCPw1DnTTRUJMifj/W:BSaTfsRN3jZnvREtb/W
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4400 WINWORD.EXE 4400 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE 4400 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\www.tullverket.se_download_18.5c3d004415b89fa6ac788f_1496053726779_760.88_nedsattning_av_samlad_garanti_till_50__25.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4400