e71d03648dbd2c57a4daf01ab36a6a28a3477f501d9d4db81ee24d80716f4cb1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

corso1.wikispaces.com_file_view_brass_ricerca.doc
Size

87KB
MD5

70c0e541acecc68f09e766358c753342
SHA1

425b000d64b22fb7b60c7416a8f8e3fca6b5f709
SHA256

e71d03648dbd2c57a4daf01ab36a6a28a3477f501d9d4db81ee24d80716f4cb1
SHA512

9ecb97d27357b8966ef0a97ee9c2a48563c5c7e2ed7d19b977f902f0bd4270f269a85e6372d99c8265be8552801062c2c9cb425b4a357f827188be168d26f142
SSDEEP

1536:sujVZ2E71ExilI46pIIGIDJ+HpWfl2vNr4Feq:1jiE71Exi/J7bJvG

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

5060 WINWORD.EXE
5060 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

5060 WINWORD.EXE
5060 WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 5060 wrote to memory of 3376	5060	WINWORD.EXE	splwow64.exe
PID 5060 wrote to memory of 3376	5060	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\corso1.wikispaces.com_file_view_brass_ricerca.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39DE7EA5.wmf
Filesize
576B

MD5
222aa772824776679605077d46c75e02

SHA1
a2a1c6b6b7aeb0f30082022ce62d3b73aac95d7e

SHA256
a28a7d26cbc4a5acb61538e2b119d33749e4d8d44f1d85f390f30dbfd1dd3e0f

SHA512
1225e252cf5aaceb6c2b1e6c4b78c24fd6f45333e075b43def7572e6cf4f22bf44e1f364a6428988f5bc6115e1fc6f81b5d000793d200d74f59d5a455eebc74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8B3FD434.wmf
Filesize
576B

MD5
7275837a68406c979d211e8b2f3153bf

SHA1
6b8e4ac00354169300c25fdee9ff24cec902d551

SHA256
3c6ba29f8f45eddfa0acdd6d8aea6c0b5ccf9e27c5a0553d03a06aec6963202c

SHA512
309e5097d60a90aa46c96c1ce18629eb19890dae9e4be65e3043f91e14bbff90680128b1878144d047baf6287ba9f11eeab1c8c9469374c22be4090e8ac52e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/5060-137-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-133-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-138-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmp

Filesize
64KB

Download
memory/5060-139-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmp

Filesize
64KB

Download
memory/5060-144-0x0000022D4C950000-0x0000022D4CB50000-memory.dmp

Filesize
2.0MB

Download
memory/5060-136-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-135-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-134-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-170-0x0000022D4C950000-0x0000022D4CB50000-memory.dmp

Filesize
2.0MB

Download
memory/5060-196-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-197-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-198-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download
memory/5060-199-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmp

Filesize
64KB

Download