Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 23:25
Behavioral task
behavioral1
Sample
54deafaa7fbd40b7da5f291d6f6a683d.doc
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
54deafaa7fbd40b7da5f291d6f6a683d.doc
Resource
win10v2004-20231215-en
General
-
Target
54deafaa7fbd40b7da5f291d6f6a683d.doc
-
Size
38KB
-
MD5
54deafaa7fbd40b7da5f291d6f6a683d
-
SHA1
5e3fa26bdbc204a26b6ae642b3e8911a2b857b8e
-
SHA256
403b71c0ff36ff91bd8102d080b744f811978f4d3017a80b527a7f93f1e6e1ad
-
SHA512
902dfb651f5c9797ca3d14e60d7cbaa8f27f1f33869f52547d331486513f20e9cc9fc9b79804f47ee69a76af730d715f40a4e25e7093049e853386647126ee2b
-
SSDEEP
384:rzOmycGhgnfLWmihpF2z0zjsxGL6upkqv50Q51:/OmlGhgnDW53NHO1qv50Q5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4748 WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4748 WINWORD.EXE 4748 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\54deafaa7fbd40b7da5f291d6f6a683d.doc" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c24a6bc31320ab4de4f004f231419aa8
SHA17d9035a54ce4483602369b161fe59a0b1e232b4d
SHA2565234d340260df439355558f13f446a87dbbe358f4eebbe4d9f42a574d3432dcc
SHA512be8c35157ee1852b7829c4fc2e6a7209b63284973a30af8a7c732f6b6684de5426d124adc65e87cdf8eeab1a65bcc02a648fa05f9144caf98c6307a4e5d00214
-
Filesize
48KB
MD54f0beb6290d780f2bbb31895fa7477a7
SHA1405c6de2fd1f5ce2470b17d21997feb1ce871f4e
SHA25684ca764f35b304fd939178e82278638159af7a9fded29e34f3b536037dcf783d
SHA512292dc0b5611df23077271f3a2a49a40a88f1776a457fb638305b135d06d2d9f97c0438bd7c66d8cb797b60743c17c2aada87797015a1ca340ac22bef35f02780
-
Filesize
24KB
MD5b25c2f921a31c5a44faedb3a946f5c32
SHA128192f799f035c016156eddc17454782d61d9215
SHA256261d093177bc8cc66372bb01c71eb6e838e6d8329ae5bb3e4361d26b75a9a4ce
SHA51282f838cbc832813dff039c1524874d6bddcdaaf720672adc766f87bd51cb2e2656cfcb74541586e7d572383499bf07b09e3d002ca24fffe4c66b641f12d102af