Analysis
-
max time kernel
102s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2023, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx
Resource
win10v2004-20230703-en
General
-
Target
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx
-
Size
10KB
-
MD5
75b5fb86bd2cc8fc41d253b5b90a767f
-
SHA1
4370d24b51f5689172afe913527f76b276e5c0cc
-
SHA256
4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4
-
SHA512
6035561fa54da886b06331e8c53be563c1d16423c515b13141c3ed03ebad443fe613a6d0c68b7009a3cc49e0a987c4f3e1ae4d1330538e3b00867de7fec95a84
-
SSDEEP
192:Rya0N09FtWvARgZVPCK44AG9xXSJ+Ej7vJYtKwuKovDWYZcWe5F9u6:RyX09FtWvANK4499xXSJf7vJYtG6YZOT
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeAuditPrivilege 4652 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE 4652 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4f25edbad3cf2f2cdd2ebb591ca119cef1df895e01d34012fb4292340b3045c4.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84