Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9.rtf
Resource
win10v2004-20240226-en
General
-
Target
3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9.rtf
-
Size
77KB
-
MD5
cde3695e8c23e9e09db22243c899a215
-
SHA1
82598dfe560b70c5f2c6441bc4c13a58309ce0e8
-
SHA256
3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9
-
SHA512
30ade51f2792be8be9a5bc3c37b76333fea66f7f480f5b0e0dd63a2578bc4c80f77aa2c9d536d665d2cf2311910794c0e8dc5af6bc16688d43676ef6507abb5e
-
SSDEEP
1536:YxfsTw3nHeO1NwvfG08IhcX7Obmpy8wt0O/pARY9BxeRO5Ddc9h:Yxuw9bGfv3a+mpyht0+p2SeRO55c9h
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 760 WINWORD.EXE 760 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3c5444b736af60ee4f23f9f411c0c6c7a266647e0b127500f1e320e4946fb2c9.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:760