Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 22:50
Behavioral task
behavioral1
Sample
corso1.wikispaces.com_file_view_brass_ricerca.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
corso1.wikispaces.com_file_view_brass_ricerca.doc
Resource
win10v2004-20230220-en
General
-
Target
corso1.wikispaces.com_file_view_brass_ricerca.doc
-
Size
87KB
-
MD5
70c0e541acecc68f09e766358c753342
-
SHA1
425b000d64b22fb7b60c7416a8f8e3fca6b5f709
-
SHA256
e71d03648dbd2c57a4daf01ab36a6a28a3477f501d9d4db81ee24d80716f4cb1
-
SHA512
9ecb97d27357b8966ef0a97ee9c2a48563c5c7e2ed7d19b977f902f0bd4270f269a85e6372d99c8265be8552801062c2c9cb425b4a357f827188be168d26f142
-
SSDEEP
1536:sujVZ2E71ExilI46pIIGIDJ+HpWfl2vNr4Feq:1jiE71Exi/J7bJvG
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE 5060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 5060 wrote to memory of 3376 5060 WINWORD.EXE splwow64.exe PID 5060 wrote to memory of 3376 5060 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\corso1.wikispaces.com_file_view_brass_ricerca.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39DE7EA5.wmfFilesize
576B
MD5222aa772824776679605077d46c75e02
SHA1a2a1c6b6b7aeb0f30082022ce62d3b73aac95d7e
SHA256a28a7d26cbc4a5acb61538e2b119d33749e4d8d44f1d85f390f30dbfd1dd3e0f
SHA5121225e252cf5aaceb6c2b1e6c4b78c24fd6f45333e075b43def7572e6cf4f22bf44e1f364a6428988f5bc6115e1fc6f81b5d000793d200d74f59d5a455eebc74c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8B3FD434.wmfFilesize
576B
MD57275837a68406c979d211e8b2f3153bf
SHA16b8e4ac00354169300c25fdee9ff24cec902d551
SHA2563c6ba29f8f45eddfa0acdd6d8aea6c0b5ccf9e27c5a0553d03a06aec6963202c
SHA512309e5097d60a90aa46c96c1ce18629eb19890dae9e4be65e3043f91e14bbff90680128b1878144d047baf6287ba9f11eeab1c8c9469374c22be4090e8ac52e04
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/5060-137-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-133-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-138-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmpFilesize
64KB
-
memory/5060-139-0x00007FFEEAC00000-0x00007FFEEAC10000-memory.dmpFilesize
64KB
-
memory/5060-144-0x0000022D4C950000-0x0000022D4CB50000-memory.dmpFilesize
2.0MB
-
memory/5060-136-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-135-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-134-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-170-0x0000022D4C950000-0x0000022D4CB50000-memory.dmpFilesize
2.0MB
-
memory/5060-196-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-197-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-198-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB
-
memory/5060-199-0x00007FFEED4D0000-0x00007FFEED4E0000-memory.dmpFilesize
64KB