aa50f802614a4f2ff827b32065a691d174c895d641040bc6fc28a191aad299cd

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

www.tasmanianpolarnetwork.com.au_uploads_5_5_5_8_55584155_tpn_membership_application_form_may_2016.docm
Size

73KB
MD5

a3c0687851dfc664cff8010abda1a542
SHA1

29a6844f67674a7e8255daabfbff1376c947ea28
SHA256

aa50f802614a4f2ff827b32065a691d174c895d641040bc6fc28a191aad299cd
SHA512

da10a7905342209e2a4f4fe9c9a4dc3212ed470233593bff087ec179426e0865cbd8ec3a61342cf9a1441535de9e66112aab98b016fc1814492e241caaeaf2c3
SSDEEP

1536:kNWfnmmC2YA5PgHPX0MVv13ml5yJsu41ADyD:kNmmmC2YMaPEUv13KqoADq

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

800 WINWORD.EXE
800 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE
800 WINWORD.EXE

pid	process
800	WINWORD.EXE
800	WINWORD.EXE

pid	process
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE
800	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 800 wrote to memory of 4512	800	WINWORD.EXE	splwow64.exe
PID 800 wrote to memory of 4512	800	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\www.tasmanianpolarnetwork.com.au_uploads_5_5_5_8_55584155_tpn_membership_application_form_may_2016.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1195AF4C.wmf
Filesize
370B

MD5
9a7643abb71e72a6c2003e556fb7d9f0

SHA1
00a8cf383418ab558592a1e6a08a37e59d66e523

SHA256
d348330080e16e677cd9978c5e9a14a802cc3a17534c632d64bc398cd011b5e2

SHA512
54dad5acf3424bb65fe3cabd0cadb57bc84bbba9f0100f1350a4c6c8d8e7fa0a78147f60d22355e74fc59dd6badac1cd4d189c42377562f0caed07a486272750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11EB3F89.wmf
Filesize
370B

MD5
dcecbb32b18af9a810ec20cab2d17e42

SHA1
cab221e712862baa1f7137070b0054805fa98739

SHA256
8838675385d18b165dbfa76f8485d9dfae3555ab8c14da710f5b4fc097ee8480

SHA512
816a21b635c2b70a15a171d17a0c850f0c43b78d5227fd9af3c8449968de5f8150252b4d93258103cb97d3152cc9e3c2534b988c83fc4cf65eb99292bae45587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2EDEA3A8.wmf
Filesize
370B

MD5
44f366a2644d706e0582db64232c698f

SHA1
ece068ed42db4ba9950a2506ea1e63fe5acb7eb9

SHA256
abb0a5489d49141b7d5daa4197469fe34dc7c9cf09a64eebddee32404620269a

SHA512
91f34192ec65a85ad89974f91de33a41715a2c64d157bc66bc8b3b561b96b455f8019ca4b4b8110c42c433e6100a86559be4739966326b6a1db3e71a310608db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3218DA01.wmf
Filesize
370B

MD5
535d042f75c5e78cb94f1fddba9f2fc6

SHA1
6c04e81ad26dfdcecb7e5785ee4c7acb18afff99

SHA256
fbed8eedce8557605c2065d4cf34b479231517f90dbd6e449a0db122777b641f

SHA512
1a8dd3688581d2c56ac674c403bafdb0fe8830d4cae2e2f689b76587b669163f26a274a0c7dc78c41ea9cd8c2b0ea521c0828d56eb5504159d77fe96bd3d690f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3D5091A2.wmf
Filesize
370B

MD5
c19c9487b11b02c4c5f0b7e5f4559f66

SHA1
a490a6c508dbe143c5b9231dd05b8a83e784d80d

SHA256
4674ea8646ac0b23eeeeb526ad4f4eaabc79e3b4cf3ddd058ac25e241013ed09

SHA512
936f8f67430235ce811e9dc19f0961f065f9d5c9132de36239b9176b84bf1371d9b866265f4e207aab2d1001d879ab309f801b67ab6887e0fba2d56380750acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\93896F3A.wmf
Filesize
370B

MD5
dc62e154e9754adf413a9d26627a27ad

SHA1
dce132bf3cbee22a360b5f03c006c920351c032f

SHA256
bf14d2a8c982cba1ea21738a4b862e282e052cfeeb4b47b6f076fcc62e58afc8

SHA512
a6fa1c14702b082b02781bda74abfc5956b16e081bf19a95c19694318ae1f2b34f6466ad955b408c4725dd6e72c94db40a17e9c2b579c68e92f0e7c08db0f294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A6DE2EDD.wmf
Filesize
370B

MD5
7997fb77407c2f45f810aa018dfa0453

SHA1
be5701f1b3e9f5c397795949df7711db6cf59be6

SHA256
cfb174fc6e39f63328faf2e119bae24ed6b5f7ccbdc84c21f95b22918697e33c

SHA512
3e13b303402a143758dcb3a3b9070ddc5794365834917dbd45802ebf79cf23b006d672bf0ee6e26587962308ce76715a289175e43d740fcc658932afb82f3e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B3524913.wmf
Filesize
392B

MD5
00a5e194f033e198cd0990c7a0296fd8

SHA1
d877147f05f787769c95e2b76eebb48231824a6c

SHA256
d5300f5af7e889d92b2498972a5c9992adc2a35a5750d068eae2483b50b9e6ec

SHA512
17bc4d4a6a380616be6a6ab147c68d4097c0708725fbc4de0b6a95e71947b6e7770628821c6d72a16a00d73feefe058bffdc1eda94e4b7861e916d226a082a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BC38780E.wmf
Filesize
370B

MD5
64de7cae966d8b592eab1ef23ef863f3

SHA1
fc6ee8a32641bef4d0580f2339deefd28209b8de

SHA256
3ae80cb1191d68d087fb8983b3de8b3ad1fdca422dc4fa589eef63e9bc254e9c

SHA512
6534eecea938427b5b2b75853438eaa9a244a5a2b80813749240c9275552e86e83042e871345285c61f0a862ba447c5e82cedcdebf936164ce391d3957eb4e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CD21560F.wmf
Filesize
392B

MD5
8134a7b7e76a97e73b358efd0b953ea6

SHA1
20df253b63d725deffc5f1292470ae235c607d34

SHA256
712a00d7c16d8df7f3a09e34b2bbbc79dae431457080c543c27832a436c0b3b5

SHA512
c9ffa4625b8cc17009c1f95b08d1d0690e9e1447ed30daa66e7a304eb5315a1093ea9ab2038a299c83a591cceb9d96d0565c3c02f68b002991d78fea47f485f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D8A3CFF6.wmf
Filesize
370B

MD5
ebc97d7c9a7be3a7bfff063936ef8530

SHA1
1c10d7dc743e513710aa1670e15c212ffcc05019

SHA256
a445c918df726ba03900893396513832855b4d122545f459a50c4ff5cadf8cf1

SHA512
495d8e75483d7438055ad9764e7a2520f4a789dd936f15a6459fdb681322df09be0784aaf2e80eb3aa59080d05714d4b8a3c42aacbc2cb5c31fc36542b8471aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/800-214-0x00000286273B0000-0x00000286275B0000-memory.dmp

Filesize
2.0MB

Download
memory/800-140-0x00007FFB22F50000-0x00007FFB22F60000-memory.dmp

Filesize
64KB

Download
memory/800-138-0x00007FFB22F50000-0x00007FFB22F60000-memory.dmp

Filesize
64KB

Download
memory/800-137-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

Filesize
64KB

Download
memory/800-133-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

Filesize
64KB

Download
memory/800-136-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

Filesize
64KB

Download
memory/800-134-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

Filesize
64KB

Download
memory/800-135-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

Filesize
64KB

Download
memory/800-306-0x00000286273B0000-0x00000286275B0000-memory.dmp

Filesize
2.0MB

Download