df51180c6950068f1b3ea41ae7389f81d315e0f91b9f6bfe6833bb8ea2f724d4

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c779e0f58297c6c9f17d38c1fdf973e2.doc
Size

40KB
MD5

c779e0f58297c6c9f17d38c1fdf973e2
SHA1

cb0a0ac27dc7dca7757a37b76bea45dfcc2671ab
SHA256

df51180c6950068f1b3ea41ae7389f81d315e0f91b9f6bfe6833bb8ea2f724d4
SHA512

9928051fdbb96fc601440839857eb847b0c0be0733ef3026cfd209346bd23fc7f3601dfa5ba2ca2c619a33fe4507d713b5b322f0de9860573af8999bd6b9a2a5
SSDEEP

192:mqEDoSZVVxsm0b5OmW0037gdTgm5ou0cDpAzboAyaMNHXL5Xn6zo+mcAz02oH9vG:mfbHSOmI7gZgEou0cDazbomVBAQ2AUm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3568	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3568	WINWORD.EXE
3568	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE
3568	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c779e0f58297c6c9f17d38c1fdf973e2.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp

Filesize
50KB

MD5
b06864df4e1932a251416d46722815f4

SHA1
f4e4bce5e33dd5633fadbd99c4fabb337e7d1d7c

SHA256
18fb3de6fbc7ef79b900a8e7862966942951ce0b0b4b5fbe23998264388342fe

SHA512
e1846c2b9a1fd0163b1f6e2e14f2fa415374bee46068d097febed37f7da74783ee9968f15adb4b46697fab4642e19d2e0bd597d0a3dd10a09023ef901fe090ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0002.tmp

Filesize
24KB

MD5
065ebed48a49895c35d4c0a1db478975

SHA1
c25a64c1034db567a618cbdc92786cd4808fc5c8

SHA256
c4a3a5456ce248d21fd79436bee5460a84fe3a96484921170865e13725d8ed9e

SHA512
a7b4cab0f0cca46ec7dd3560869b6a6fc3ac517b21a48cdda3d799996bb7c26bb30ed340f545f9379679317b7452169a07f47acef3b008329fcc7617ce5a29e0

Download Submit
C:\ascii.vxd

Filesize
1KB

MD5
307774863062cba7c405b1ef6dc09199

SHA1
ae0c0ea189e1135f9f521949f82b4c37b3fdca63

SHA256
1571c1a999addd300b618374a186d7e105fc8c9b012611d576d695f3659dd110

SHA512
6abee8d8ae7d5712fea87b100b7948662f8075d2761d4351df8e4b6a689ce1a8e94575dba1fbd207316163e13e21efa3ed236904d28364f7c07a90467fa0ea07

Download Submit
memory/3568-11-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-50-0x000001FBEA310000-0x000001FBEB2E0000-memory.dmp

Filesize
15.8MB

Download
memory/3568-5-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-7-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-6-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-8-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-9-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-10-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-0-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-12-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-13-0x00007FF81D100000-0x00007FF81D110000-memory.dmp

Filesize
64KB

Download
memory/3568-14-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-15-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-16-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-18-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-17-0x00007FF81D100000-0x00007FF81D110000-memory.dmp

Filesize
64KB

Download
memory/3568-32-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-37-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-42-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-2-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-4-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-3-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-49-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-66-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-70-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-71-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-72-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-73-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-74-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-75-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-76-0x000001FBE6100000-0x000001FBE6900000-memory.dmp

Filesize
8.0MB

Download
memory/3568-77-0x000001FBEA310000-0x000001FBEB2E0000-memory.dmp

Filesize
15.8MB

Download
memory/3568-1-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-109-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-110-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-111-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-112-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-113-0x00007FF81F510000-0x00007FF81F520000-memory.dmp

Filesize
64KB

Download
memory/3568-114-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-116-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download
memory/3568-115-0x00007FF85F490000-0x00007FF85F685000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads