e93493e1b8ae2712e8c49dd224fab3d3ac576b566bf53c248487978386b181f5

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sweet-home.or.us_documentcenter_view_505.doc
Size

255KB
MD5

72c084ab0deefc4d1e451e0188412011
SHA1

41defa124d3d0697d317a151b42da36cacbeaaa3
SHA256

e93493e1b8ae2712e8c49dd224fab3d3ac576b566bf53c248487978386b181f5
SHA512

3fe8cec470696a368cce8d832f9528c6608b7313e2c40f12a4d3c5732b249d30fa21b9100cfe82c7cc8b85f562b5eb1c81b5de500acf9a4f6be7f6a7b7a48bba
SSDEEP

6144:Yesequw9wb6uwZXygSVJjyOup7QGNGDsafN1dhIeXlUrBQYLt:hE9fZgjy37TafN1dhIeXlUrBQY

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1696 WINWORD.EXE
1696 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1696 WINWORD.EXE
1696 WINWORD.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE
1696 WINWORD.EXE

pid	process
1696	WINWORD.EXE
1696	WINWORD.EXE

pid	process
1696	WINWORD.EXE
1696	WINWORD.EXE

pid	process
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE
1696	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1696 wrote to memory of 1228	1696	WINWORD.EXE	splwow64.exe
PID 1696 wrote to memory of 1228	1696	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sweet-home.or.us_documentcenter_view_505.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1197B319.wmf
Filesize
370B

MD5
82162e09ff0e10af85f8903e0afc00c0

SHA1
1ccc9ab8b231ccd35f7838d08e327c7b90f959ae

SHA256
1ea453473d22b8f34dc6b6081d818f9e8d160187347d7932591881dc6f3c3180

SHA512
6e0caac627a55428f08a11a939d23b9d1bb9470a69828d86853170f2815cacf9418de91b0746709640ec56c075988e784f7e314f5bec519ffdd7e3ffda285b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A0F55A1.wmf
Filesize
370B

MD5
271d85431b6b680813e35000305ddd89

SHA1
b943a11edf9612f9feca7d91985afb473191ebc5

SHA256
041186bc3112af22e8608a6db5ffbc11ea061eb66aa095d902bf2e30d482c032

SHA512
700308335934104e86fe47c8dbcb0b7d9e1864b1c8acd524505258440bb2d2734696a03447d8f0822e042c3156b6e0b580dfc2f36342f2e5d946a32773268b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\507D35E7.wmf
Filesize
370B

MD5
ab2e380e5ac3fbec9a11b8f3c54338d1

SHA1
971c1c657540e85f9abf663cef18e2eec332497b

SHA256
8bbe728dab83c4cb536eba524a42a9d3f9ee3c127cd23e790964cd1505b1a9a6

SHA512
8818280615c4ecb8adf16c20e5bc1f2eeb9543d5ec7b6ac15108666cc94985f36d83539113c34017284fa4aa04f6690daf5192d72b9e14ee48f81176d1fd04a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6090C729.wmf
Filesize
370B

MD5
44b7728d262b9abe5d6445a65bfe7221

SHA1
47e0ccde8465c76ffda354a119aed9650c7c5216

SHA256
7ed360272ba33e6d43f6f8cb1ec466e2ed58b9817aeda5e64e41e50ac719d54b

SHA512
9dc7ec72083f95245bf6d22e524b91edbb812df61c01de5250e9a5c9f3a69b36b2d2149ff0af6ecbc4a00260c81998f24894b72f669767b0aa4f44929ca085cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7379C1F.wmf
Filesize
370B

MD5
52f413fedf393da4e0fbc6d2a8e5fb63

SHA1
20d67dae46b9f49814e12668ca321c66ab5f2d86

SHA256
e1bf545feece7e2fd7bae9b97cf19b777d0ecf5ad32bcca555a57b1e41376efb

SHA512
b121d68bc0ca937f02f372eb48a9525613214e32e9c03743d5344713dfe55b98ae8ead0f8f489eb0e9dd58f783e2cc338155fb97f8bd2cf9f57d660891fd11b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8E139D8F.wmf
Filesize
370B

MD5
dc2d75e86e30c41ce5ae769eaaba4781

SHA1
91951fae0fc59bf919ab8646894f36679c4191d0

SHA256
c2893385b83902ea57bf93547dedd61bd483f79106ffc10d3509521efb60ccd4

SHA512
827d69ba51d786aeb4b5be9a1711be5f845b1b4d731c756a0f8f10b277299a0e1879543833ee43a6588888329d73df35e7ae500bbb2ef264a5bb52af304868f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A57FE36C.wmf
Filesize
370B

MD5
660b232e41da4d5dc985f17f4f875070

SHA1
94a945e75a6ac2b1adce3896d6dade44b0d8198f

SHA256
92c1f6b45a4336fa7bf0841ba19af64f2580bd7b9299c7dd33d6dfa5e306671a

SHA512
6ae146482e9c55ebcfdd03bbd8b0f4345a82f4a66c895dfda70e1030f6aca030de5e686b0406c382809d93b74787ab79fd617c77eb2f061caeea1161d970c5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ADA8FF8D.wmf
Filesize
370B

MD5
3d4323a7627557a4c2ff6f7dd1bc0e0c

SHA1
e78688abc1a93ba722edc756162a9e6098d49901

SHA256
d3a48f5b2c8eb4e1704f934668a446577ea7edc25c2ea16809ae9ba574f64438

SHA512
f331cae640604f62f77cbd89100f77a4a3771895104c24611111addc86a6754431b9d92ab08ffc8dcb2aff9f49e6406fb688b2e9750a73d8782c52bcd1c8b8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AFB29A85.wmf
Filesize
370B

MD5
6d7e63a7e282572b4c2e95d852e8d7c5

SHA1
f5cb52c57195e8149d085bef567eb8bb29df7c7b

SHA256
602ac9ee0051162391077a8869b9372cadce4e7ea631b8a270b8bdc68fea5bf6

SHA512
a4607c17f4607269f057a1458aa2735565800d8650055b21acd74a62e52568a828c5bf73c5577a6b5f471f6aab490e72e108ceb3dd9272f47a3e6fc0d8044538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\ECA133DB.wmf
Filesize
370B

MD5
6a4ec158c14d814795d4ea9d2137436e

SHA1
f8f290190849e3b69ed80566b9b1888d3985bece

SHA256
201cbd967fe117442f05204570fb9145b7cbfd4deb094d9ab169070ea888a800

SHA512
0ecf0512ae479048fecfd0e90d982d160b71962474bb80ee1a66bd71a76b73df364df73df6a7e73091f314bbc1403a08bfcea3b7698320f5f20a4cf910621d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F258C623.wmf
Filesize
370B

MD5
7eae03623ae77615644470e1f399c126

SHA1
ec4f3b5d53e7bfee9c8d739d8ceab857e12ad296

SHA256
dcf16a7fd5014ddcdf38ff10a46b303159bc8773eae8a40ffff7b663b87174b3

SHA512
73bf2d047957d3310559968ddf4dbc762a25c30c6c5aab2984d13628fe16b4539c4d276282618d6e026290489329f210acebff81853b7d2dbed195147a20c594

Download Submit
memory/1696-133-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmp

Filesize
64KB

Download
memory/1696-140-0x00007FFCB4B20000-0x00007FFCB4B30000-memory.dmp

Filesize
64KB

Download
memory/1696-174-0x0000011DD5390000-0x0000011DD5590000-memory.dmp

Filesize
2.0MB

Download
memory/1696-136-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmp

Filesize
64KB

Download
memory/1696-135-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmp

Filesize
64KB

Download
memory/1696-137-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmp

Filesize
64KB

Download
memory/1696-134-0x00007FFCB6E50000-0x00007FFCB6E60000-memory.dmp

Filesize
64KB

Download
memory/1696-138-0x00007FFCB4B20000-0x00007FFCB4B30000-memory.dmp

Filesize
64KB

Download
memory/1696-293-0x0000011DD5390000-0x0000011DD5590000-memory.dmp

Filesize
2.0MB

Download