Analysis
-
max time kernel
170s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2023 18:41
Static task
static1
Behavioral task
behavioral1
Sample
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Resource
win10v2004-20230220-en
General
-
Target
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
-
Size
679KB
-
MD5
7f075616272cca52e731c11080d0f3ef
-
SHA1
b5142fe556fc114eb221c4b14ad9d19c9e83fe83
-
SHA256
c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
-
SHA512
f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
-
SSDEEP
12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{5245EAF1-5BB9-4343-919D-9986C1B4344B}\microsoft10converters.exe:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4456 WINWORD.EXE 4456 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE 4456 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4456 wrote to memory of 3856 4456 WINWORD.EXE splwow64.exe PID 4456 wrote to memory of 3856 4456 WINWORD.EXE splwow64.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\61EB284D.emfFilesize
5KB
MD5d5c5e16f5d1a574b4643ca75feeff934
SHA13a4498112d3c8196b87120923c449db83477129c
SHA256b32ef8a281ffc811ed9fb7ac4a27cea7cee2d95e5f98e5aab7e6c3c549522c52
SHA5121c08179c39b678d8aaf15024db1d83d50170c82b8986c180a9c2318eeb60358424b96c4b5443d9c983e1e8df3d31512bb6bff4e95ec35d45224b57593d4adab0
-
C:\Users\Admin\AppData\Local\Temp\{5245EAF1-5BB9-4343-919D-9986C1B4344B}\microsoft10converters.exeFilesize
658KB
MD55e9a63f5b3d8f53478a2889c0eefd510
SHA1d6d545146b969ac2ea389a1f11ffcda377549da2
SHA2564c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c
SHA5122ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO0127.aclFilesize
12KB
MD53929090f1a775f09a85811bd4701539a
SHA134c8edbbcb0d519583609109127c3a50eac00139
SHA256dcf2f1a29ae33dd467064e7cc0c2010e40df0eabf9cbc8761559491a87ea192e
SHA512a817e2a36d8a6f345bb9642b3663283cfce0a23e12b2dc252a085bb92a24801b607667730550f07951af7b2a3ae3961a00964b8475699b968adf4f382dd4e9f1
-
memory/4456-133-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmpFilesize
64KB
-
memory/4456-134-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmpFilesize
64KB
-
memory/4456-135-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmpFilesize
64KB
-
memory/4456-136-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmpFilesize
64KB
-
memory/4456-137-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmpFilesize
64KB
-
memory/4456-138-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmpFilesize
64KB
-
memory/4456-139-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmpFilesize
64KB