001f329a99a84175ebadb671170482baeef0338807e93f399825381e58807f37

Analysis

max time kernel
104s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2023, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]/�МР по вакцинации.docx
Size

935KB
MD5

17c249aab93e7d3ad8a7c6f65717db41
SHA1

8dda7d72267f6f933fabf11288716a9faacd361d
SHA256

51899ef5370bcba1f41852c59ef299b4097e4be0e07c28a00e2eaa27ea8f08d3
SHA512

661cb2673523d2f96b0a4d3b31f41f6a174b7013846f4fed64e41729cc38baffc5972742ee1e200c9b7d81f576e6f3f28b5613e00493ce48b1c5bac3694e1520
SSDEEP

24576:P1LhUiPVAIWbaYzYBKQswSGvn6jbf7pMB6:XRU92SPzpk6

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4084	WINWORD.EXE
4084	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE
4084	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\[email protected]\�МР по вакцинации.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\38F796A2.wmf

Filesize
578B

MD5
dfe35d1e1c16e2a748c21a0636d376ec

SHA1
eb2605b603e8faf1430c070e32964193c29d23c1

SHA256
534ff3502bcca3062b0e22cdcdcfa060d957dd776973aeede63551af6c6c0d7f

SHA512
4fa00c16a0ad41bd66259251f40e95ee24d2ae7c06df1bd51aba9baa421465dc5d27b46bd7730e4288194c85878aa950a9b4dda6e7efd608066477aef58150e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\450415C4.dat

Filesize
784B

MD5
9daaeb0bfd4d2856f33d60409ed5822a

SHA1
e131e6e67536117df165397efb034b03fd63f138

SHA256
919a514251c594cdbcf5a5fa8ee9ff69e7b80e75818d8e66f97e8df802a52286

SHA512
a4e5387e3a896419efd5bee271bee04cd4cc2f9acd9f26065630fa2e134f95a22d9e7fc249e857e62392ddb7aaae644f05c6fb09196c48d6774b6e9d413fa5f7

Download Submit
memory/4084-139-0x00007FFCC3CF0000-0x00007FFCC3D00000-memory.dmp

Filesize
64KB

Download
memory/4084-136-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-137-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-138-0x00007FFCC3CF0000-0x00007FFCC3D00000-memory.dmp

Filesize
64KB

Download
memory/4084-133-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-135-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-134-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-348-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-349-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-350-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download
memory/4084-351-0x00007FFCC6010000-0x00007FFCC6020000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads