6b405872944ae843c4abf198ae4e4a4eedf51d4a5834f2581ac3becd8a835607

Analysis

max time kernel
100s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

embed2.docx
Size

140KB
MD5

d4b4b4fe1fd378afc18dd96fe43601ff
SHA1

77efa90d9e2f33dcc118e17e0d0829ca8025e1ce
SHA256

6b405872944ae843c4abf198ae4e4a4eedf51d4a5834f2581ac3becd8a835607
SHA512

20e3aba53c6bbf7e2b5d6181950b92e4daf170a867a82137406d83eb9fe9a69adf0b47c85884a937e390be8de8cb041ebcd37b293a4654597110f6e85e7fd2fa
SSDEEP

3072:6NdhcwgK0/+FoGjm3l/F76DQmgb7bqEPS2Z4ZHSVVxjkD:h3K0/+FoGm3ik3LPS2kHSVVx4D

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{D75D5A8A-3BA9-4B08-8846-3F3378CD8BC3}\pe-Windows-x64-cmd:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3992	WINWORD.EXE
3992	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE
3992	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1800	3992	WINWORD.EXE	93
PID 3992 wrote to memory of 1800	3992	WINWORD.EXE	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\embed2.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7F8C99B0.emf

Filesize
5KB

MD5
f32b196146fbd0de2c72e0eb4f1103fc

SHA1
1b5aebdc0cd42f654d8e9f3047e18041ac66c381

SHA256
2ce96d77f0e2a4088dd99d735759c675b51df977213de9e01d6873ee9566cf04

SHA512
a57928974cab3763e0352b2c3b7ede393b96577595083156386b8d9706164f32efbd4dd92819189dd2594d1eca9b31ed3c7519796c8eabe199a05788a6c52e12

Download Submit
memory/3992-10-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-12-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-3-0x00007FFDE8850000-0x00007FFDE8860000-memory.dmp

Filesize
64KB

Download
memory/3992-4-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-6-0x00007FFDE8850000-0x00007FFDE8860000-memory.dmp

Filesize
64KB

Download
memory/3992-5-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-7-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-8-0x00007FFDE8850000-0x00007FFDE8860000-memory.dmp

Filesize
64KB

Download
memory/3992-9-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-13-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-2-0x00007FFDE8850000-0x00007FFDE8860000-memory.dmp

Filesize
64KB

Download
memory/3992-11-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-0-0x00007FFDE8850000-0x00007FFDE8860000-memory.dmp

Filesize
64KB

Download
memory/3992-15-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-14-0x00007FFDE6070000-0x00007FFDE6080000-memory.dmp

Filesize
64KB

Download
memory/3992-16-0x00007FFDE6070000-0x00007FFDE6080000-memory.dmp

Filesize
64KB

Download
memory/3992-1-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-60-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-61-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-64-0x00007FFE287D0000-0x00007FFE289C5000-memory.dmp

Filesize
2.0MB

Download
memory/3992-65-0x0000028E5ED10000-0x0000028E5ED74000-memory.dmp

Filesize
400KB

Download
memory/3992-66-0x0000028E66F50000-0x0000028E66F76000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads