b77e06dc08e2cbd42de7f614e6520e90f47e247fb3e4669b3381bf3191f3c1a7

Resubmissions

22/02/2024, 22:13

240222-15g7gsfg2v 3

22/02/2024, 22:12

240222-14sxlagb73 3

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

42KB
MD5

6ba02ef0dc7a955e7a3bba8459151809
SHA1

67ac7f8a1e0dd1a176468c3adab87e605a328ddb
SHA256

7e67c9b1e4bbe8d7ece19b0e4a7a626ad95b21903ee8682027444f12b6cd2067
SHA512

9935e203875d4c9fee32a0a631bb07bde39ac8e3814efe82c10c755b8461fcf67d98fb6094729ec1857afb81946f9e6d8f0817347a398dad2414caa549e88cec
SSDEEP

768:Kv5Xy+Vn+/hEHb1/zE5/Jb6v6p8HBEbtETHvUkM:Gy+R+eHypCmbqr8F

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4588	WINWORD.EXE
4588	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe
3040	Loader.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4588	WINWORD.EXE
4588	WINWORD.EXE
4588	WINWORD.EXE
4588	WINWORD.EXE
4588	WINWORD.EXE
4588	WINWORD.EXE
4588	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
memory/4588-12-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-8-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-4-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-3-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-6-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-7-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-1-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-9-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-10-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-5-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-2-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-11-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-48-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-14-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-15-0x00007FF9F1C20000-0x00007FF9F1C30000-memory.dmp

Filesize
64KB

Download
memory/4588-0-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-13-0x00007FF9F1C20000-0x00007FF9F1C30000-memory.dmp

Filesize
64KB

Download
memory/4588-49-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-51-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-52-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-53-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-50-0x00007FF9F4110000-0x00007FF9F4120000-memory.dmp

Filesize
64KB

Download
memory/4588-54-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download
memory/4588-55-0x00007FFA34090000-0x00007FFA34285000-memory.dmp

Filesize
2.0MB

Download