Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.ShellCode.69.11663.9638.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.ShellCode.69.11663.9638.rtf
Resource
win10v2004-20240319-en
General
-
Target
SecuriteInfo.com.Exploit.ShellCode.69.11663.9638.rtf
-
Size
77KB
-
MD5
cde3695e8c23e9e09db22243c899a215
-
SHA1
82598dfe560b70c5f2c6441bc4c13a58309ce0e8
-
SHA256
3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9
-
SHA512
30ade51f2792be8be9a5bc3c37b76333fea66f7f480f5b0e0dd63a2578bc4c80f77aa2c9d536d665d2cf2311910794c0e8dc5af6bc16688d43676ef6507abb5e
-
SSDEEP
1536:YxfsTw3nHeO1NwvfG08IhcX7Obmpy8wt0O/pARY9BxeRO5Ddc9h:Yxuw9bGfv3a+mpyht0+p2SeRO55c9h
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2044 WINWORD.EXE 2044 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE 2044 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.ShellCode.69.11663.9638.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:81⤵PID:4056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d