Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 09:32
Behavioral task
behavioral1
Sample
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc
Resource
win10v2004-20240226-en
General
-
Target
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc
-
Size
2.3MB
-
MD5
3f326da2affb0f7f2a4c5c95ffc660cc
-
SHA1
f38abb67d47a4f69536ae67aa9c6df7287c08869
-
SHA256
0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
-
SHA512
83b322f899801920604457910c262500490f518591d9d0eefaccec59db98b546c76cfc4c1ac7f2fb08253b1201d76c5d6eaf5600a6d3793c4f3cba16c1f8cd18
-
SSDEEP
24576:uguUgXlNGKIZyltJSR3PlRiBwlvQn5tNXw9OSTwbB3UGIpVoR1sLAXI3TYF+PXyx:unUgQWtIBlR7vQN3dBMRUXIDkCy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3524 WINWORD.EXE -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\windowsupdateconf.lnk expand.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE 3352 Explorer.EXE 3352 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeAuditPrivilege 3524 WINWORD.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE Token: SeShutdownPrivilege 3352 Explorer.EXE Token: SeCreatePagefilePrivilege 3352 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE 3524 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3352 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3524 wrote to memory of 4956 3524 WINWORD.EXE 90 PID 3524 wrote to memory of 4956 3524 WINWORD.EXE 90 PID 3524 wrote to memory of 3352 3524 WINWORD.EXE 56 PID 3524 wrote to memory of 3352 3524 WINWORD.EXE 56 PID 3524 wrote to memory of 3352 3524 WINWORD.EXE 56 PID 3352 wrote to memory of 2264 3352 Explorer.EXE 98 PID 3352 wrote to memory of 2264 3352 Explorer.EXE 98 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100 PID 3352 wrote to memory of 4720 3352 Explorer.EXE 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b.doc" /o ""2⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:4956
-
-
-
C:\Windows\system32\expand.exeexpand "C:\Users\Admin\AppData\Local\Temp\WindowsUpdateConf.lnk" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdateConf.lnk"2⤵
- Drops startup file
PID:2264
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe2⤵PID:4720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316B
MD5fe97064665ebe15dd56dde1edd2df969
SHA1fc1133b9d239822dc7e52d48b242dc5dedd3393f
SHA256b7f0b658e073b348819687bef0a3971ceab0f29c4c405eb650936f32420cd0d8
SHA5125b81d88df4a0627d51ce5b0cd3852b4a16299f099026d998763ea374b9f4a5b877faf25c5be1d9ccfb3223f079b382a027a99d82f862607e4455f7bb3fd365b7
-
Filesize
4.2MB
MD5b56c39d20fc1487e247e6cb8aa0b65c4
SHA1a37b52c7f8c7adb55188aeb5994066ae38f87e1c
SHA256e8790e6ddde06338f69d272d2a6b18c0bd56d011f49e94ad5ba3964fc9ea2db5
SHA51250ee3afe32a10feacc8d57719925c566bc6b1a602f73904b34c0625f560cd9586f61db8b3626c0ed0269f3a3705707bd858ffe36084c9e142e25583d4e6d8510
-
Filesize
227KB
MD5490c885dc7ba0f32c07ddfe02a04bbb9
SHA1294690c1aee8dc7723858dafcb2a0ed273296641
SHA256829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
SHA512127f014d18b926433d56bfee85b350fe36cc26a1442ef8f16cf1c9e6cce95c2f83a8609b9d29e53b7b5617739f760ba4263bd6222870fd25309a16d46000d29c
-
Filesize
842B
MD5b6dd036749beb8035b4d733de1aaae1d
SHA1ddd8cf574775c4fcba6ebca9783229f6c19401e6
SHA2568c3451acc329c747c6660fa53c6fd20c40617750c7dad9c688c0cf25523d3ef4
SHA51273f1a6c63dd68ec5b6f5ef72f9dcf274a75139373d672386327af82425b2b455aee6db884e44b8b30de9dc79e6458b8dee02c13b78b60986261654a5afb9fc9b