d386075cd9644ae405747cc27199d537e448b59bffb123e267fa9e324da271fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hyhelp/postbuy.doc
Size

184KB
MD5

2d7600575f85b494e049e237185a73b7
SHA1

6f66b46e22c92b408a8a8db8e3d1a63762556245
SHA256

2139707cb8d9cd5a33be5c3dbd4abf5e162d2534cf9f064919fbb1f7e4f95f25
SHA512

75fd1f3384a72e057e6fba5cf7353f6eb82b3816f9bb94cc8f9de1607fdf2549993b88b38ebfbce03da8bb61a2c8fb84083297e155ead81482a4bd21978ac06d
SSDEEP

1536:DgXhznstEiS61ZqYq2OnDw1GzUFba5KhEOqkoll9Xb56j44RWO6Bw8GWPVI4HJAO:Ek9F/1liNRs

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2168 WINWORD.EXE
2168 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2168 WINWORD.EXE
2168 WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE
2168	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2168 wrote to memory of 2124	2168	WINWORD.EXE	splwow64.exe
PID 2168 wrote to memory of 2124	2168	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\hyhelp\postbuy.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\18E7F5CD.wmf
Filesize
370B

MD5
02ee577e483072b06feeab551063d508

SHA1
91281d7d495af48f0ef205e4f9bf59d483001eb2

SHA256
90d3ce8bc694d5d31215e4d3e671e4007841ec278d28ce41df4a07f69952943d

SHA512
24b61a2ff692b1808e0c4887274992553071911c351c2aa81d688618f6cbcd8bd3e6f863c2e1bff84131bc822e26c97785d470c1532a1154e9fa13bef09f00c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1F8012F4.wmf
Filesize
2KB

MD5
f9ca69b3a0680e6d6487758e15be6bf0

SHA1
c9e49d768d3c667b158ad1295897881a8c3b8053

SHA256
881f0ea19ca03cfee54be9b0db67c14aa679e340b8dae27a2b4e0b3e5955655c

SHA512
f56ee792c1cbbeea9f9a2a63bb7ba7a40f943632ddd2c9f1b151a2121fea1306c5762cfb8689c68b65502f6ac554ae35cbed759dfb7cfed7ef8901b6e02d962b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4EAE9801.wmf
Filesize
370B

MD5
2d7f358c80d1f9691436e12314eba670

SHA1
dcb8cd5e00d222cf001e23b66db0d933e4b3bc88

SHA256
7311e8dbc8d59581b9c55e52ad285828702f208834e6cf4c3b3450ac5f1e0487

SHA512
6781210d38e5e5c33a507a4b84ab599e6ff890be08b90ec91bd3ab04740fb1d96e6f6f118636dbaff8fecd223879eb30dd3e63c4b829d0ee199b4ec76488017f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4EF89FED.wmf
Filesize
370B

MD5
f9ec61fa0735eb77b0e1c7827ad7c68d

SHA1
34d6048b1bbc03762613d5f98da65042c99aa4ef

SHA256
25e46bd7a406a09abc335826ab733befd0e875d38602bbd5d2aeaa6ebbfbae87

SHA512
1fd8bef622eff47d06104b58a2b53036ee9f6265e3dc764d78776a3627ce398318145c136c8d0433dcfd8c84ed26d496a96c22ecf881094eec2d3000a12a221c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\61DB19A8.wmf
Filesize
370B

MD5
e6b9fc77aee338088d0059bf4a6a8e9a

SHA1
9aac28a42c007e8fc40cb4b7e6313562b3cd5207

SHA256
4c6dec2e99415a3c4919702a7d4783ceff4eb4353a0022c748598a44d36ce951

SHA512
ffacb23bb98c02e94f1ab0290e8cde0f1b36c98cbc8089cf9a0a03463f9f4785c863d3d95cd69fde15345c5aa959495951a0f9b36114b45d70698a12972abd4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6FDD7A2.wmf
Filesize
912B

MD5
bd8d4f879da4b4a36303166709b6edfb

SHA1
60820818cb3654ea5a39d1d7bd8fa151bd103c0d

SHA256
39f91e91a01519a20d407b8f40d835b4f30647c27563f8595c2ef04126a22d83

SHA512
383dcd67962ffcec0e049df9d7ebe43f89b44c43593167833e79f144469c993daae6e860c23aebe09f72416a124bbf19a2afee0bc6400ad293de5cc88569ad37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7DFC0507.wmf
Filesize
886B

MD5
2cc3d7ceedaaec28646da207b21dbdb3

SHA1
3b721d22f606de5756235458c22c1e63df18723d

SHA256
3cfbe2a655ce82715f0af44091585f2c25ab922cd82c1d86cca44c25602706d5

SHA512
15016508a24f6e990a6662cc1f1e3739152f5d36632e3cb7466c79fc24515b0b284cab8be7a681b660174cb131972ab3977dadfec5839ec7d9b2431b45368f98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E700002.wmf
Filesize
912B

MD5
05679b0d63ad47ea5f74d091013f0f13

SHA1
efc6cd336f20dc514190bda8b8ffb92d3ac15572

SHA256
7e8f7e09dd2a54cd21f9f05eba78b4f43330037f01e10be840b96b54493ba8ea

SHA512
3da3ae6f0920c05809a9eb820a4ede76d9b600dedb6b66c1c63788a4384ce8e6e47e7b07ffff1a21b8da75996c133cdb9d6cf1c42dd2b057e690397ee9c60626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8DF753A.wmf
Filesize
370B

MD5
8611639e8e68b53974310fab4d2a016f

SHA1
fa01eacfa9bbc2f89e18b2d6602c952623989a2a

SHA256
8320d47ddfd76171760c152096a1bd771b88d0b507f67d4bab1682f024957800

SHA512
afc9c4f541a846d8716a2d21c394b18468af39963bd3e39434a416cf245bd0c2c2369cf720af78e2ed6c973d0fd932aea3ad5c9021596dd62e1c37781a411824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C3C0417F.wmf
Filesize
886B

MD5
b3e08dae8f87e5339e294b61a2df913d

SHA1
b60901149cccadb91085b070e6a8310e0c635511

SHA256
897861be9b595d63a265468205df3c058257699065eb5ff80199de4aceabcf85

SHA512
83ba4a0f2c66672ae6892f73397a5bd2139733062f8513536acef93afdf8d214b895cde2fb55d24aa7d27e83cc922dd09400f57c29e4947b3a942b7a65da8a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E1F57AE4.wmf
Filesize
866B

MD5
6f142fb218d68923f7558d104ee14560

SHA1
d2c74240974755eb56aa036fd30d7c5a12c9d835

SHA256
d74c0d3b4ff3bc6e70d715a6630986b840a63ed1762af26fdec9860b545c1628

SHA512
4dc367c4e119fb7d98bc710202abc19d588733986a340b2411db599da2ce97ff895fda769cdda3d124d3acd35c917ff9be1a40a4a1533fcfa9b6188c3cc3308a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E25D8926.wmf
Filesize
370B

MD5
c2418d38d6b943529d73538f49efef98

SHA1
8708175abf9633b390113a88f60503a852acdeaf

SHA256
3eb1c82d937f23854ce07c234e352b7ed971714d561fd2e1b4bd172bbc10e3fc

SHA512
13599ee53909690a56ffbff774e515b1c846f8f5ae193a6abe7e393a215d6f28cf6a72183319ec061002104c96f6053c92b2a32a41c232ec814a974692695f74

Download Submit
memory/2168-11-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-7-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-14-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-16-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-15-0x00007FF945890000-0x00007FF9458A0000-memory.dmp

Filesize
64KB

Download
memory/2168-17-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-18-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-19-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-21-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-22-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-20-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-32-0x000001C5B54D0000-0x000001C5B56D0000-memory.dmp

Filesize
2.0MB

Download
memory/2168-12-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-0-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-10-0x00007FF945890000-0x00007FF9458A0000-memory.dmp

Filesize
64KB

Download
memory/2168-9-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-8-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-13-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-6-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-3-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-4-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-5-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-1-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-2-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-907-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-908-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-909-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download
memory/2168-910-0x000001C5B54D0000-0x000001C5B56D0000-memory.dmp

Filesize
2.0MB

Download
memory/2168-966-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-967-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-968-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-969-0x00007FF947B50000-0x00007FF947B60000-memory.dmp

Filesize
64KB

Download
memory/2168-970-0x00007FF987AD0000-0x00007FF987CC5000-memory.dmp

Filesize
2.0MB

Download