Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 22:47
Behavioral task
behavioral1
Sample
sweet-home.or.us_documentcenter_view_505.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
sweet-home.or.us_documentcenter_view_505.doc
Resource
win10v2004-20230220-en
General
-
Target
sweet-home.or.us_documentcenter_view_505.doc
-
Size
255KB
-
MD5
72c084ab0deefc4d1e451e0188412011
-
SHA1
41defa124d3d0697d317a151b42da36cacbeaaa3
-
SHA256
e93493e1b8ae2712e8c49dd224fab3d3ac576b566bf53c248487978386b181f5
-
SHA512
3fe8cec470696a368cce8d832f9528c6608b7313e2c40f12a4d3c5732b249d30fa21b9100cfe82c7cc8b85f562b5eb1c81b5de500acf9a4f6be7f6a7b7a48bba
-
SSDEEP
6144:Yesequw9wb6uwZXygSVJjyOup7QGNGDsafN1dhIeXlUrBQYLt:hE9fZgjy37TafN1dhIeXlUrBQY
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1696 wrote to memory of 1228 1696 WINWORD.EXE splwow64.exe PID 1696 wrote to memory of 1228 1696 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sweet-home.or.us_documentcenter_view_505.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1197B319.wmfFilesize
370B
MD582162e09ff0e10af85f8903e0afc00c0
SHA11ccc9ab8b231ccd35f7838d08e327c7b90f959ae
SHA2561ea453473d22b8f34dc6b6081d818f9e8d160187347d7932591881dc6f3c3180
SHA5126e0caac627a55428f08a11a939d23b9d1bb9470a69828d86853170f2815cacf9418de91b0746709640ec56c075988e784f7e314f5bec519ffdd7e3ffda285b98
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A0F55A1.wmfFilesize
370B
MD5271d85431b6b680813e35000305ddd89
SHA1b943a11edf9612f9feca7d91985afb473191ebc5
SHA256041186bc3112af22e8608a6db5ffbc11ea061eb66aa095d902bf2e30d482c032
SHA512700308335934104e86fe47c8dbcb0b7d9e1864b1c8acd524505258440bb2d2734696a03447d8f0822e042c3156b6e0b580dfc2f36342f2e5d946a32773268b19
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\507D35E7.wmfFilesize
370B
MD5ab2e380e5ac3fbec9a11b8f3c54338d1
SHA1971c1c657540e85f9abf663cef18e2eec332497b
SHA2568bbe728dab83c4cb536eba524a42a9d3f9ee3c127cd23e790964cd1505b1a9a6
SHA5128818280615c4ecb8adf16c20e5bc1f2eeb9543d5ec7b6ac15108666cc94985f36d83539113c34017284fa4aa04f6690daf5192d72b9e14ee48f81176d1fd04a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6090C729.wmfFilesize
370B
MD544b7728d262b9abe5d6445a65bfe7221
SHA147e0ccde8465c76ffda354a119aed9650c7c5216
SHA2567ed360272ba33e6d43f6f8cb1ec466e2ed58b9817aeda5e64e41e50ac719d54b
SHA5129dc7ec72083f95245bf6d22e524b91edbb812df61c01de5250e9a5c9f3a69b36b2d2149ff0af6ecbc4a00260c81998f24894b72f669767b0aa4f44929ca085cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7379C1F.wmfFilesize
370B
MD552f413fedf393da4e0fbc6d2a8e5fb63
SHA120d67dae46b9f49814e12668ca321c66ab5f2d86
SHA256e1bf545feece7e2fd7bae9b97cf19b777d0ecf5ad32bcca555a57b1e41376efb
SHA512b121d68bc0ca937f02f372eb48a9525613214e32e9c03743d5344713dfe55b98ae8ead0f8f489eb0e9dd58f783e2cc338155fb97f8bd2cf9f57d660891fd11b1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8E139D8F.wmfFilesize
370B
MD5dc2d75e86e30c41ce5ae769eaaba4781
SHA191951fae0fc59bf919ab8646894f36679c4191d0
SHA256c2893385b83902ea57bf93547dedd61bd483f79106ffc10d3509521efb60ccd4
SHA512827d69ba51d786aeb4b5be9a1711be5f845b1b4d731c756a0f8f10b277299a0e1879543833ee43a6588888329d73df35e7ae500bbb2ef264a5bb52af304868f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A57FE36C.wmfFilesize
370B
MD5660b232e41da4d5dc985f17f4f875070
SHA194a945e75a6ac2b1adce3896d6dade44b0d8198f
SHA25692c1f6b45a4336fa7bf0841ba19af64f2580bd7b9299c7dd33d6dfa5e306671a
SHA5126ae146482e9c55ebcfdd03bbd8b0f4345a82f4a66c895dfda70e1030f6aca030de5e686b0406c382809d93b74787ab79fd617c77eb2f061caeea1161d970c5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ADA8FF8D.wmfFilesize
370B
MD53d4323a7627557a4c2ff6f7dd1bc0e0c
SHA1e78688abc1a93ba722edc756162a9e6098d49901
SHA256d3a48f5b2c8eb4e1704f934668a446577ea7edc25c2ea16809ae9ba574f64438
SHA512f331cae640604f62f77cbd89100f77a4a3771895104c24611111addc86a6754431b9d92ab08ffc8dcb2aff9f49e6406fb688b2e9750a73d8782c52bcd1c8b8bc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AFB29A85.wmfFilesize
370B
MD56d7e63a7e282572b4c2e95d852e8d7c5
SHA1f5cb52c57195e8149d085bef567eb8bb29df7c7b
SHA256602ac9ee0051162391077a8869b9372cadce4e7ea631b8a270b8bdc68fea5bf6
SHA512a4607c17f4607269f057a1458aa2735565800d8650055b21acd74a62e52568a828c5bf73c5577a6b5f471f6aab490e72e108ceb3dd9272f47a3e6fc0d8044538
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ECA133DB.wmfFilesize
370B
MD56a4ec158c14d814795d4ea9d2137436e
SHA1f8f290190849e3b69ed80566b9b1888d3985bece
SHA256201cbd967fe117442f05204570fb9145b7cbfd4deb094d9ab169070ea888a800
SHA5120ecf0512ae479048fecfd0e90d982d160b71962474bb80ee1a66bd71a76b73df364df73df6a7e73091f314bbc1403a08bfcea3b7698320f5f20a4cf910621d42
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F258C623.wmfFilesize
370B
MD57eae03623ae77615644470e1f399c126
SHA1ec4f3b5d53e7bfee9c8d739d8ceab857e12ad296
SHA256dcf16a7fd5014ddcdf38ff10a46b303159bc8773eae8a40ffff7b663b87174b3
SHA51273bf2d047957d3310559968ddf4dbc762a25c30c6c5aab2984d13628fe16b4539c4d276282618d6e026290489329f210acebff81853b7d2dbed195147a20c594
-
memory/1696-133-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmpFilesize
64KB
-
memory/1696-140-0x00007FFCB4B20000-0x00007FFCB4B30000-memory.dmpFilesize
64KB
-
memory/1696-174-0x0000011DD5390000-0x0000011DD5590000-memory.dmpFilesize
2.0MB
-
memory/1696-136-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmpFilesize
64KB
-
memory/1696-135-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmpFilesize
64KB
-
memory/1696-137-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmpFilesize
64KB
-
memory/1696-134-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmpFilesize
64KB
-
memory/1696-138-0x00007FFCB4B20000-0x00007FFCB4B30000-memory.dmpFilesize
64KB
-
memory/1696-293-0x0000011DD5390000-0x0000011DD5590000-memory.dmpFilesize
2.0MB