f65ae8f2b7540ff93010945ecba328569fa0d193545b422d02145cb92e811f9c

Analysis

max time kernel
114s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Size

679KB
MD5

7f075616272cca52e731c11080d0f3ef
SHA1

b5142fe556fc114eb221c4b14ad9d19c9e83fe83
SHA256

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
SHA512

f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
SSDEEP

12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1056 WINWORD.EXE
1056 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1056 WINWORD.EXE
1056 WINWORD.EXE
1056 WINWORD.EXE
1056 WINWORD.EXE
1056 WINWORD.EXE
1056 WINWORD.EXE
1056 WINWORD.EXE

pid	process
1056	WINWORD.EXE
1056	WINWORD.EXE

pid	process
1056	WINWORD.EXE
1056	WINWORD.EXE
1056	WINWORD.EXE
1056	WINWORD.EXE
1056	WINWORD.EXE
1056	WINWORD.EXE
1056	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\854EB019.emf
Filesize
5KB

MD5
d5c5e16f5d1a574b4643ca75feeff934

SHA1
3a4498112d3c8196b87120923c449db83477129c

SHA256
b32ef8a281ffc811ed9fb7ac4a27cea7cee2d95e5f98e5aab7e6c3c549522c52

SHA512
1c08179c39b678d8aaf15024db1d83d50170c82b8986c180a9c2318eeb60358424b96c4b5443d9c983e1e8df3d31512bb6bff4e95ec35d45224b57593d4adab0

Download Submit
memory/1056-133-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-134-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-135-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-136-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-137-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-138-0x00007FF9912D0000-0x00007FF9912E0000-memory.dmp

Filesize
64KB

Download
memory/1056-139-0x00007FF9912D0000-0x00007FF9912E0000-memory.dmp

Filesize
64KB

Download
memory/1056-176-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-177-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-178-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download
memory/1056-179-0x00007FF993C30000-0x00007FF993C40000-memory.dmp

Filesize
64KB

Download