Analysis
-
max time kernel
126s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Resource
win10v2004-20231130-en
General
-
Target
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
-
Size
37KB
-
MD5
6de35c22ca3f026a6a645fc9fda40565
-
SHA1
252a6d49a0d9096e8c48c11d7c9a934681e55f6a
-
SHA256
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96
-
SHA512
b872b0509756ca5e5dc8ce14eb83b6c5eb354093a62702a70caceb8ed0ce9d1fb854a55a99302d1e329635891174a525c14e8b036cc7bb18afab1589d2b29f28
-
SSDEEP
768:lJH2e8oUg8OALyuki2cDsNNP+vB2ZmwVbMLAVYAS50zhR:PWe8XtTLLZ2cDsNNP+vB2ZmwVbtVY8zz
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
MsoSync.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 456 1372 MsoSync.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1372 WINWORD.EXE 1372 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WINWORD.EXEdescription pid process Token: SeAuditPrivilege 1372 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE 1372 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1372 wrote to memory of 456 1372 WINWORD.EXE MsoSync.exe PID 1372 wrote to memory of 456 1372 WINWORD.EXE MsoSync.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"C:\Program Files\Microsoft Office\Root\Office16\MsoSync.exe"2⤵
- Process spawned unexpected child process
PID:456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57e996b534a3324631882ffd86897ce3c
SHA16f74be38140b3e5c4d3ff32e1a02baa4d393a2aa
SHA256e1a781642c3618141f217d23ab95d00fa9a1b59090b78414f92be441c533a40f
SHA512a89a8ecbc4414e809dd6cdaf0567a3bbaddb73db1a103d48ab816cd743d116e627f051376c586462b6948caaf694c30d1b62d65a771a17b631516c599474e45e