0a213049df4abf319dbb1c1bd1b5114ffa01bca076e2880dd25e5a8567561f95

Analysis

max time kernel
170s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2023 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
Size

679KB
MD5

7f075616272cca52e731c11080d0f3ef
SHA1

b5142fe556fc114eb221c4b14ad9d19c9e83fe83
SHA256

c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12
SHA512

f9fe3bb4f04138c8c924a74f35c293cbe3e777a6f2993c0352e4de9f6677807fcb982190d2a070925ee7a6810a136f2f7c1358babe5e8087736513f6b77982a7
SSDEEP

12288:WXQnnE6+s3WsZ/lkwR939lgKFWRg1xY0VcRuaHuatAUz3huJ7XrjaJ+:WXQnnYsNHXR9NlgobVcUK7UXrj++

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{5245EAF1-5BB9-4343-919D-9986C1B4344B}\microsoft10converters.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4456 WINWORD.EXE
4456 WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE
4456	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4456 wrote to memory of 3856	4456	WINWORD.EXE	splwow64.exe
PID 4456 wrote to memory of 3856	4456	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\61EB284D.emf
Filesize
5KB

MD5
d5c5e16f5d1a574b4643ca75feeff934

SHA1
3a4498112d3c8196b87120923c449db83477129c

SHA256
b32ef8a281ffc811ed9fb7ac4a27cea7cee2d95e5f98e5aab7e6c3c549522c52

SHA512
1c08179c39b678d8aaf15024db1d83d50170c82b8986c180a9c2318eeb60358424b96c4b5443d9c983e1e8df3d31512bb6bff4e95ec35d45224b57593d4adab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5245EAF1-5BB9-4343-919D-9986C1B4344B}\microsoft10converters.exe
Filesize
658KB

MD5
5e9a63f5b3d8f53478a2889c0eefd510

SHA1
d6d545146b969ac2ea389a1f11ffcda377549da2

SHA256
4c312e3cce557ee17db0299bcc112699e616fb162afdadf12a41815a4a314b5c

SHA512
2ee785eafa4ff4e738f13c26659b479ef84d52977e0c6d054c4b38f228959a0909b8652923b821d557bef7ae3e5f129e6b2c5039b83bb1a71ef464d6e5ef5e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO0127.acl
Filesize
12KB

MD5
3929090f1a775f09a85811bd4701539a

SHA1
34c8edbbcb0d519583609109127c3a50eac00139

SHA256
dcf2f1a29ae33dd467064e7cc0c2010e40df0eabf9cbc8761559491a87ea192e

SHA512
a817e2a36d8a6f345bb9642b3663283cfce0a23e12b2dc252a085bb92a24801b607667730550f07951af7b2a3ae3961a00964b8475699b968adf4f382dd4e9f1

Download Submit
memory/4456-133-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

Filesize
64KB

Download
memory/4456-134-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

Filesize
64KB

Download
memory/4456-135-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

Filesize
64KB

Download
memory/4456-136-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

Filesize
64KB

Download
memory/4456-137-0x00007FF9644B0000-0x00007FF9644C0000-memory.dmp

Filesize
64KB

Download
memory/4456-138-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmp

Filesize
64KB

Download
memory/4456-139-0x00007FF961DC0000-0x00007FF961DD0000-memory.dmp

Filesize
64KB

Download