Analysis
-
max time kernel
142s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 10:03
Behavioral task
behavioral1
Sample
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
Resource
win10v2004-20240226-en
General
-
Target
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
-
Size
32KB
-
MD5
bdf188b3d0939ec837987b4936b19570
-
SHA1
aba938bf8dc5445df3d5b77a42db4d6643db4383
-
SHA256
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
-
SHA512
63b39390bd9702fa01e8d2ac63d63d37545547c0abf2c6403cd11e329d546716f313cb8e1f2a167ffd1ebd2cf56a205423359270563a19deaf9b167a3691c5ac
-
SSDEEP
768:DiehqsoMCWBJ9B23vxllNuLWlX9Ymzj+3BaVk7oXaFa4:Di9soc5B0vB9t9YWSBaUoXaQ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2164 WINWORD.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 2164 WINWORD.EXE 2164 WINWORD.EXE 3580 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 3580 WINWORD.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm" /o ""1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2164
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FE9FE847-3008-4B31-B664-1A70C07CFE30
Filesize160KB
MD5742370f43fcf98686a47f1d160255f21
SHA1afe949a56a84c7bd5ae01d7714f2cf0de502d2f0
SHA256ae4923530867ae306b0aa21adaa699d11c0fe25124af59b80510cdb5dc7e2428
SHA512a0931adf0637f84e1f08faf43ec80a9ef94ff2aa04b11d233635eb4aa970f9b5d8b923ceb5571dc654b3c627edc5936e29175bdcb7f7940ee62e2f6598cd7b65
-
Filesize
8KB
MD5dc59c5e4ac360b0225ee1794cbf3341f
SHA119fc644139bc803fe89c0c0c2a51331bf59f919c
SHA2564f85ce44f8d62c27f70a121e081d24902a730d9de6eb6a050003d48041b9e33c
SHA51201c957c6c1d7def1771cdb0a9020f24c2d27321926d77a083c92fe25aab8a59f0cd66139f5137a9470f1e0f3327f8792d5bf554aa70fe41b08ddc86c2e61ed89
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD51859eefac12e0ce2906a2b0cd0fc8d25
SHA1002274b3ac1f39a5c754d39316bcfeee82afe09b
SHA256de04fbea7c764872c954ff952f569b76ba2c51da8e774021ad90b09e2a8b265b
SHA512e7519f6420aa312dcd84d4dc3ed435af5356cf2440c470f8d7b67fe8eb923453ff6d7a8852aead5acedf89760c0ff7bc16f058c580f414e84871f25447587a6e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5959b5536b62a6d233d9184c65aaaef20
SHA1ffe02154ac428e21a7f4a9aae73d48967eb5ceb4
SHA256e372e8fe093bded4179616ea05a2cee100bd4507af05481bad5f69a04a417036
SHA512421dadf2a3fb428e2ade20bbcb8f46248efec0ffa5691b649c2e9f0aea519071ada5322b7632e6a843be3b90d9d4211d26b1b9f76a1d6709926c4ac78bf52b9f
-
Filesize
40KB
MD5ac81cbbcb0f1e5ca602cba1d13cfd416
SHA1dae6d33ca3b01d0d4787c8e513e207d411ef42e5
SHA256229b48ee8efa98af767867906f110277377a20a66eb96665a93c1824c5598665
SHA512558a4eafec389a630989bf77a71e60cc91aae85fb32e48e65dd96146692c07d3569a40cc6cfdd6dbfa42470e2f121f1682e69550c0253130804e9ec13a23296e