Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 10:22
Behavioral task
behavioral1
Sample
388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm
Resource
win10v2004-20231215-en
General
-
Target
388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm
-
Size
257KB
-
MD5
c34bb2fdbce2524c8aa74fe8149952a9
-
SHA1
159345bbeabf12c423f418f7788e525c5f377b2a
-
SHA256
388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622
-
SHA512
c1d8798ea907cf4386da9b73b9c85a75af49def54e921d3f76463c3d23bd8c257bef33e0920e64f712ae29a9616f1eb8d9cb7879045b3a52441229371f1f06a0
-
SSDEEP
6144:k3dDZWGnv6NPtk+q1w4znZSXrQxTQNv8D6ktI9GqXFG:k3dDZWGy4Dw4zZSXrgTQNv8DtWn1G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3444 Earthquake.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jakarta = "C:\\ProgramData\\W0il\\Earthquake.exe" Earthquake.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3048 WINWORD.EXE 3048 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3048 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3048 WINWORD.EXE 3048 WINWORD.EXE 3048 WINWORD.EXE 3048 WINWORD.EXE 3048 WINWORD.EXE 3048 WINWORD.EXE 3048 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3444 3048 WINWORD.EXE 88 PID 3048 wrote to memory of 3444 3048 WINWORD.EXE 88
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\388f212dfca2bfb5db0a8b9958a43da6860298cdd4fcd53ed2c75e3b059ee622.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\ProgramData\W0il\Earthquake.exeC:\ProgramData\W0il\Earthquake.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD50159c86ff9e92590335e438b5ebae2de
SHA11fe5a658143d1fc34646bf767956a8f4b842773e
SHA2568c9b0fd259e7f016f53be8edc53fe5f908b48ae691e21f0f820da11429e595d8
SHA5129008e6ae1fc00e465ac4ed575b1cdb1666075236c6e459dc15390202d0fe3cd6479564976d4549e27cc005e357d3d4ee2d3d6c2b892fa46d6fcdc43142bbf986
-
Filesize
23KB
MD581fdfe3078cb5a0ce3aadedfb7aca2f3
SHA1cffc2751fca2bf23f024666e14ddf28bb18719a8
SHA2561986757926bdd5aaf7cc3606cabe97c2181acabe1eec97cf7ceff88d50ef9719
SHA512913894f9122722386a3b6ddf5ba0b793e68e04a7f1567baf1d90d5180b1602055ce4df710f55bf0bcf2d297afb84b1c7912fc943160d4335e2f2a57237b1c7e9
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84