0473ee221e38ba27330654ffb3cdd6476ff530881c303cc20d2efdff0c270e61

General

Target

openai.rtf
Size

768KB
MD5

2e8a01026b5c298a9b1d2519241f0b16
SHA1

98b44cc10887c7cb63a769cbd258c45720eb7ef7
SHA256

0473ee221e38ba27330654ffb3cdd6476ff530881c303cc20d2efdff0c270e61
SHA512

aeaf88341f33a2f130730cd4871abbf9ae48a3932bab7a21d6376c7579bbe8dad7f226694134db5f0b19b2d9a3248c66e9c3f2adc21d432573f9624c4452451b
SSDEEP

768:5stVBjHeY2xUSc2xoEYGZc+dySGri6CbEYKhqgbEYhhigbEYhh8gbEYuIeY7EH4z:5spHGC

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

2592 WINWORD.EXE
2592 WINWORD.EXE
888 WINWORD.EXE
888 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

888 WINWORD.EXE
888 WINWORD.EXE

pid	process
888	WINWORD.EXE
888	WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE
888	WINWORD.EXE
888	WINWORD.EXE
888	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\openai.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0f2c51e1b31c4280b7b9263d90a0603f /t 2288 /p 2592
1⤵
PID:4560

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\CF7C076F-FBA4-4575-9B6B-879C8FF8A474
Filesize
160KB

MD5
e59bb7783338215bc29e5663a585a916

SHA1
01f28d74adf9e360d349ccf988e1faeeee30d3b9

SHA256
376d038a1e0115b95dc0c363916ab678aa8607654b0d74d75e0db41a383b06d7

SHA512
961fccb15bfb1da8d61052ae38f9cd11dca895328a12fe0b6eba0aa4c7f5c22d2ef5cf0d30e811fd872c00d91d273262b55b1ee9afb794fa0382038ba9348b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
333KB

MD5
e7f663ce715a2b74c17a013567b05926

SHA1
2b281c8ca9e1832394d0561a7cd6217393141545

SHA256
26776f52e21b7864c6a8aff3d8dbd1d73618214a9de454e922852c320465730b

SHA512
5600cc8c25a390b6a0b71108641d8974662b28464be8e5185dfe4313f37e5cd07d32c572219d6079efdf1081b455e1eb5315084fe5a0f1b8dc40cbe4cb1eb7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
8KB

MD5
a34f868df218235af12e3c33d2fccbc4

SHA1
4b23d71d899132e2bc77a7a8adf4e47e4da3355b

SHA256
09ad5d47a010e5c1e7350d2fc1cba1e17664f69cd75ff31e224fb378e6d4e28f

SHA512
7dfa5c0be68da9afe1f7651616a5ae41ba700314771225cadf0e05b51e029704d012af3f16a21bedda9fc2a26fa65da1c94ae20bbe6edb3f5d5336a2d9852ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
66e96fb11ed47bd34ad77494954c84f8

SHA1
7ee9cb52b405d121392f7dc929e026ae88cd0c95

SHA256
a2a6d9715eb34239881ee2d395268459185805508469ada8c774f0cb472f5429

SHA512
e46fdd394e70c772ad7970c8f2aa1c5dea6f0fc055a1dd60865506de444289919cbae0c06e2d7fb8ba587939c3defe9b9668dd302832483d45bef1580ddea6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
e8be9ed99508c53fb8b5f455cf20c584

SHA1
6aa8a9124aec0adaa0fdd7976a2d89f1aa085a3d

SHA256
fbae01326f1de7bb69b6bbba5c73ca88b5388de4984730d3ec3b315b56c64c8e

SHA512
342e839dbf5914e1dbd3cf485bbd7885cdf6babd01e446407207699bcce2438534b1b9faae1882cc05ad9673ce1220bfe8265eb76bc0bf10d25809f72411c215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\LiveRecovery save of openai.asd
Filesize
230KB

MD5
bb3895f144b76623cf1033af6e846178

SHA1
2eacc85bdb9c52f6b9109b3dedb4e9599b5a9ecd

SHA256
3649e49c4b6801d5cb0d07f06a0cae4d99a918c5c7b6da6adda928d964cfc5d1

SHA512
14c305cd27cdf263481334cfb1f6b41013fb1f43b0fa05922c5411043edf52b5bc145ab0c9c2a2a752dba1d1287270fbbe19c5028ae0da5d80cb27920ab52fcc

Download Submit
memory/888-59-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-75-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-66-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-65-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-64-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-63-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-61-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/888-60-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-10-0x00007FFF1B7D0000-0x00007FFF1B7E0000-memory.dmp

Filesize
64KB

Download
memory/2592-14-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-16-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-17-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-18-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-21-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-19-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-22-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-23-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-25-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-32-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-33-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-34-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-35-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-53-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-15-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-12-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-13-0x00007FFF1B7D0000-0x00007FFF1B7E0000-memory.dmp

Filesize
64KB

Download
memory/2592-11-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-0-0x00007FFF1E130000-0x00007FFF1E140000-memory.dmp

Filesize
64KB

Download
memory/2592-9-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-8-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-5-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-7-0x00007FFF1E130000-0x00007FFF1E140000-memory.dmp

Filesize
64KB

Download
memory/2592-6-0x00007FFF1E130000-0x00007FFF1E140000-memory.dmp

Filesize
64KB

Download
memory/2592-4-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-2-0x00007FFF1E130000-0x00007FFF1E140000-memory.dmp

Filesize
64KB

Download
memory/2592-3-0x00007FFF5E0B0000-0x00007FFF5E2A5000-memory.dmp

Filesize
2.0MB

Download
memory/2592-1-0x00007FFF1E130000-0x00007FFF1E140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads