af0510fea7562a1dc80e555e1bb8fdce8dd63df903bb7d0833c2c473fb41bbf6

Analysis

max time kernel
150s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

owo bot/info.rtf
Size

1KB
MD5

b975ac17d8cda6473cc36e52aeb3a26e
SHA1

d22376023f27fd8ee773e015a25ad81f3f04fcda
SHA256

845fa5d51bf9a2804a1ef2958913c92746892af019ad27ab9e282b43cbf4d582
SHA512

2235e9d1912892c0199d507e45e86303ac71c4a4c0ee367e905cbc019c5bae0034bfa750c9b98cad3b06f27ae7150ef017c8de39fd2762eab04d600fd870c984

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4484	WINWORD.EXE
4484	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE
4484	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\owo bot\info.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-1-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-0-0x00007FF7DEA70000-0x00007FF7DEA80000-memory.dmp

Filesize
64KB

Download
memory/4484-2-0x00007FF7DEA70000-0x00007FF7DEA80000-memory.dmp

Filesize
64KB

Download
memory/4484-4-0x00007FF7DEA70000-0x00007FF7DEA80000-memory.dmp

Filesize
64KB

Download
memory/4484-3-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-5-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-7-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-8-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-6-0x00007FF7DEA70000-0x00007FF7DEA80000-memory.dmp

Filesize
64KB

Download
memory/4484-9-0x00007FF7DEA70000-0x00007FF7DEA80000-memory.dmp

Filesize
64KB

Download
memory/4484-10-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp

Filesize
2.0MB

Download
memory/4484-11-0x00007FF7DC1E0000-0x00007FF7DC1F0000-memory.dmp

Filesize
64KB

Download
memory/4484-12-0x00007FF7DC1E0000-0x00007FF7DC1F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads