Analysis
-
max time kernel
127s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 01:46
Static task
static1
Behavioral task
behavioral1
Sample
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
Resource
win10v2004-20231130-en
General
-
Target
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
-
Size
58KB
-
MD5
6ee6e6e58e88fbb222f7b1c8e37973d7
-
SHA1
fad289b5872a39a24d151ba59102c8d7c2e73e35
-
SHA256
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
-
SHA512
439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8
-
SSDEEP
1536:zU3fjdJnp5MMS+IX/tlKcEVM0l+Sdym9NEPTpKzEjs3jHBE:XtlKc2fl+SdBHErpKzEjs3LO
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4856 WINWORD.EXE 4856 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4856 WINWORD.EXE 4856 WINWORD.EXE 4856 WINWORD.EXE 4856 WINWORD.EXE 4856 WINWORD.EXE 4856 WINWORD.EXE 4856 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4856