452320f3b1da42b30c32ea5ab5887983b575638ceb4e3beacfefbbb3b0510a48

Analysis

max time kernel
127s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExtPack-license.rtf
Size

19KB
MD5

1af9462955585fc3eb3af21c08da6b6a
SHA1

5b1fb945ef7021bb192b1a508f60aabd525ea1a7
SHA256

017549f1245343e96ddddfe1b8c37efea090cef9733bc276335c13b1a71e1c13
SHA512

ee6f95ce4abc6058ec3504db5349aa45e2dd9ff130d4d75a2493344723a344186e22c83c2f2249856964a629cbe8cc3896d11b94b92157a6caaba8158bedbabb
SSDEEP

192:wJrjv1Mf4g/y4pKnhDJIT0TyPH7cDcpr5wcgd3+EoXG6xoB0yDGpRpP7irYY:whAJ/1pKkITspr5qOoDDGBGp

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3056	svchost.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE
5072	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ExtPack-license.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
fd598abff4f90d5768a2c3cd4b454e59

SHA1
f840de286ae351e38d5bb03817239518bbcce840

SHA256
5843591794c1708f5d696ebdc9585c9a818866146dd2e6c901fb931657b592ab

SHA512
3c5d9f8f5cb7bd53edc5be1cb67c79488cef5d0c24829088f72e9ff13e30ffb4bec408cb2a19076b3fd98035e0306536164bf71d3c5cef2fb4ff39853318f686

Download Submit
memory/3056-215-0x0000027965930000-0x0000027965931000-memory.dmp

Filesize
4KB

Download
memory/3056-209-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-239-0x0000027965A70000-0x0000027965A71000-memory.dmp

Filesize
4KB

Download
memory/3056-238-0x0000027965A70000-0x0000027965A71000-memory.dmp

Filesize
4KB

Download
memory/3056-236-0x0000027965A60000-0x0000027965A61000-memory.dmp

Filesize
4KB

Download
memory/3056-224-0x0000027965860000-0x0000027965861000-memory.dmp

Filesize
4KB

Download
memory/3056-221-0x0000027965920000-0x0000027965921000-memory.dmp

Filesize
4KB

Download
memory/3056-218-0x0000027965930000-0x0000027965931000-memory.dmp

Filesize
4KB

Download
memory/3056-208-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-216-0x0000027965920000-0x0000027965921000-memory.dmp

Filesize
4KB

Download
memory/3056-172-0x000002795D640000-0x000002795D650000-memory.dmp

Filesize
64KB

Download
memory/3056-188-0x000002795D740000-0x000002795D750000-memory.dmp

Filesize
64KB

Download
memory/3056-204-0x0000027965CE0000-0x0000027965CE1000-memory.dmp

Filesize
4KB

Download
memory/3056-205-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-214-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-206-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-213-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-207-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-210-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-211-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/3056-212-0x0000027965D00000-0x0000027965D01000-memory.dmp

Filesize
4KB

Download
memory/5072-170-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-134-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-133-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-171-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-169-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-168-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-139-0x00007FFB6D3D0000-0x00007FFB6D3E0000-memory.dmp

Filesize
64KB

Download
memory/5072-135-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-138-0x00007FFB6D3D0000-0x00007FFB6D3E0000-memory.dmp

Filesize
64KB

Download
memory/5072-137-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download
memory/5072-136-0x00007FFB6FD30000-0x00007FFB6FD40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads