Analysis
-
max time kernel
101s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 20:31
Behavioral task
behavioral1
Sample
e2480dfe08f0bc1a6482d7039a1d7531.docm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2480dfe08f0bc1a6482d7039a1d7531.docm
Resource
win10v2004-20240226-en
General
-
Target
e2480dfe08f0bc1a6482d7039a1d7531.docm
-
Size
28KB
-
MD5
e2480dfe08f0bc1a6482d7039a1d7531
-
SHA1
024f070de576d654eb92950a0f33c4f5b15277f2
-
SHA256
6e9be71cbd7e3a82209dab61b70bb589a2bfe8c9d5441cb029b1cdb42aa4b2a9
-
SHA512
a2a7effe2dbaffc4b8601f930f49a5e657eb0d14c979f0223d65e4cb662d015e06d5cbff2d6ba57ecf04de990112c5010ba818ab0e480524df496f77249eb705
-
SSDEEP
768:MnAqt/Wvzsdd/uVwWwrxllNrC0y0vycwCZ:MvtGz+28rBYD0vtwCZ
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2400 WINWORD.EXE 2400 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2400 WINWORD.EXE 2400 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE 2400 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2144 2400 WINWORD.EXE 89 PID 2400 wrote to memory of 2144 2400 WINWORD.EXE 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e2480dfe08f0bc1a6482d7039a1d7531.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2144
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD5f9f3103bf84f218e9067e6d0fda1dfc9
SHA1daaf95255c5d23e8139ae163de81caa0d04b9813
SHA256bb077c3586524f75d90796badbc9e7c384deb7b467f5e72871d0b5fd675880b2
SHA5121c82e037503c7809cc8f664c543081602d19a212f986cdd1eeeddfbd029ca453e3f84a8af2e627326ba1338c50a65961711c32b8fec8d539a8e7b97dd01924ce
-
Filesize
370B
MD51b84467e29041f10fcd9d76b0920b96c
SHA11eed025f6c538b398ff5cf0c50c920e0bc304b0a
SHA256e01e26c4eea1575dc7d7e5ffe53cb933408e399c9710483afe00ceedc6c103c1
SHA512f34734a0437fde2e6a23986779dc2f96521c082d87e8c880e34199a0a876be580383f9c85864dd7c4afae5ba273509960a0b734222530928fd3a89b1605a8adf
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84