Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2023 01:22
Static task
static1
Behavioral task
behavioral1
Sample
attachment-2.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
attachment-2.rtf
Resource
win10v2004-20230220-en
General
-
Target
attachment-2.rtf
-
Size
36KB
-
MD5
1024edaea952ddfed7ee9067dd266409
-
SHA1
56b86cc12b63201a23ab3926901501f0aa5680d7
-
SHA256
0b20d40d91927043566ec42d1d44c23bc0522e19defcd366c8354b9ea14db68c
-
SHA512
5375187e3ff03b4386c5f9a449ebbda2ac34b20231f3bf4dec84ed99f6173855c8f98aa545fd49255449a2fbe978adf65f86dcc2c5261aaa455790a1ddd11b7b
-
SSDEEP
768:SFx0XaIsnPRIa4fwJMZAEgpJagU+8DtIvBjJK:Sf0Xvx3EMZhkagU+etIvBFK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE 4056 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\attachment-2.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4056-133-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-135-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-134-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-136-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-137-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-138-0x00007FFF14770000-0x00007FFF14780000-memory.dmpFilesize
64KB
-
memory/4056-139-0x00007FFF14770000-0x00007FFF14780000-memory.dmpFilesize
64KB
-
memory/4056-170-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-171-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-172-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB
-
memory/4056-173-0x00007FFF16870000-0x00007FFF16880000-memory.dmpFilesize
64KB