Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 09:57
Behavioral task
behavioral1
Sample
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm
Resource
win10v2004-20240226-en
General
-
Target
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm
-
Size
1.4MB
-
MD5
13814a190f61b36aff24d6aa1de56fe2
-
SHA1
08fd3f4cdcb6e4c3cb28935c41781e5fe84bf0c6
-
SHA256
221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292
-
SHA512
7010c2168caebc9d01d0cf0113dbb92f0c935c619db5771fffe46b2a72bf249015fb64d672b368d61e046b52a90b67e3a75e14948fd64b66caa00aff3900aed5
-
SSDEEP
24576:8rlNSREIjCl771rVRpKaPwV8kaUMkj7kWk7xuhai1oM54t9OwdeLx:8rlNSRsFhVRpdgJapgk9qaSl52O51
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnsSystem.exe WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3836 WINWORD.EXE 3836 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3836 WINWORD.EXE 3836 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE 3836 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4504 3836 WINWORD.EXE 91 PID 3836 wrote to memory of 4504 3836 WINWORD.EXE 91
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\221292a9f77f1a16fa0a7ed41b0eedbd312475dd9a5104c7923ed7889ea0f292.docm" /o ""1⤵
- Drops startup file
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490B
MD5deca94d89bf2303c9e3d30040dae4eb8
SHA1415c089df3c47331353038c4cb03e3098144e70c
SHA256e949fc641179a3948b94e400258af1ebc0c5189b0e5805d5f55bd10878b819e6
SHA512c2f4a3ac7c150cda1ac8ee41749ba1fdfdb7f43b6be2d3deb66be149346baf917135d5e8ddbb4dcad41fb100de5de43f8eb42d3aad48b5d7b2a49db70d9222a5
-
Filesize
236KB
MD5cb4110236f9f987fa62689ba7952f910
SHA14e62a90dab1e5ba7dd58b7b3f3787e9d3c6e5aa7
SHA2567fbec994354ee45d7dcb11dee54a5ad70d05ae97a4deb231a7bfb70e429fb7a9
SHA51216bef9bc03fb33b32df89dbe81c129cc2d6e83d90b3615f23522395b563927f31a53b8c8b2e8380edaf6da0b9bf7b4d91a2cda8b5c8a2504d5c2ca968b13a21a