e4cf43e2fbc9fb00d0deb2074e4a93c4f1a8275ec42b223c1a54e8392ce3dfc4

Analysis

max time kernel
71s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Alcance1.0_Sistema de Emergencia NR23.doc
Size

6.0MB
MD5

98229307f0b064c231fa66d1411a10d1
SHA1

6825a2e2d2f90f79058194c779428273b4c9db37
SHA256

e4cf43e2fbc9fb00d0deb2074e4a93c4f1a8275ec42b223c1a54e8392ce3dfc4
SHA512

1011d0e930037cc9ebbf22136e01f39fd9ba5392909642271baf2fc903e1994adc8a5a3cf86d72230763cfaac8d4826c34bcd78c7b86144f33d5b493d64c1961
SSDEEP

98304:HaWxUY49d4Dnt29Jl2hlFig37dyjwpP/Bvz9Q+hSG:6WubuEY5iK7RB/BL9Qo

Score

6^/10

Malware Config

Signatures

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3872	3540	DW20.EXE	85

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwwin.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwwin.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4660	3540	WINWORD.EXE	89
PID 3540 wrote to memory of 4660	3540	WINWORD.EXE	89
PID 3540 wrote to memory of 3872	3540	WINWORD.EXE	107
PID 3540 wrote to memory of 3872	3540	WINWORD.EXE	107
PID 3872 wrote to memory of 5044	3872	DW20.EXE	109
PID 3872 wrote to memory of 5044	3872	DW20.EXE	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Alcance1.0_Sistema de Emergencia NR23.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4660
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 7876
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 7876
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\17F153B7.emf

Filesize
26KB

MD5
35058b17a88e43a06860e75c63a4d2ef

SHA1
68bbc867a61247738ee35d03d7cc9ebbe1d50042

SHA256
9ccd43647759ba83cd3a9b9e009e870fc2305f303303c0131430f7402a324a55

SHA512
6aed187645c1ebfd442ce6d27f649ac401f7b241cbd986f15bcd6dadc9d426fb1e8ac26fda42174e9fd41b63448baca20737633e291b8b143aa27e5ccdb74ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\34BBFB0E.emf

Filesize
7KB

MD5
75f5f3f8eb40456633e82836509cd628

SHA1
d12e146fa23f06d6975563103d2fdc82b27d47fe

SHA256
866b81081439fbd0a1c74bba5dce565b050c7a306864ce7b512347720d02b67b

SHA512
e215345ce812e607201d8dbff2583ac4df207b0d597a3d3668f5ff79ca9a90c25737d921af945910347e67928b9dd104479c879e37420a92fef97d9125771d65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\49876DDD.emf

Filesize
49KB

MD5
c364a4ab05f4228b58cfe874ab7617e0

SHA1
03b664daf4369ddc6e8178da01b60c89e1614de9

SHA256
547fe0ba69b75b3f44a5e0b1ea139ced5564213ea5f398c9336c3737156cf15a

SHA512
5313a913395418832ff779b298b49ece378f65bee019b5ddc6f3dee19685d41b043d5a99d744929a567727906644c4464bb7bf436bd138db630d19193a829e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8B7B2A4C.emf

Filesize
21KB

MD5
e440cd125edbe726e2215dab2a8f8021

SHA1
4bc97606ca25822e1081501ca081265f2cdc15e6

SHA256
8f49b33208a932e843774d22b616984e0a8ecb688eac91ed6a5dfa97353afc08

SHA512
a120ffc64988d9ce2de5f2fdddd2881ee2e0a9c3178ea89d3593a864995a63f701aec382f379a21eb2375ecd6f7d3c08bc7e66647610b91024c2824cc2c61953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C454A901.emf

Filesize
8KB

MD5
b6f7bdd88478029eb0b9ce6e4b86ce24

SHA1
e4a4ed2875e1403f8b6ee900347eea5237fce3af

SHA256
bdacd811a8f85ab0051ae13e94169456507c644c60900810daebd6b8893e1501

SHA512
5ed58a496a619ca657e168a94164eddb8d6bc5275e338e61ac4854a7d60a3e30f1d478f3babfbc9b3582eb63edd76aa9beb1cf930513683c029dab89e95c6729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F3E0D00.emf

Filesize
16KB

MD5
d5c38a82175b666b58595e0d987be19c

SHA1
cd64d91d935f22ca465898395c6a54366a97e352

SHA256
0d0744b60647197055d96f3d7a89d6ded632a426101a8c4cc42d6b92a66c2e8f

SHA512
af1d1e69bc11ab53a7ab2257334dcf1bbbcb83be8efc5c287956803acca8a8630f32c4894345da7484b471c1ab247ff7f064357c477dc11ce548a58eb7ddf5ec

Download Submit
memory/3540-38-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-5-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3540-8-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-9-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-10-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-11-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-12-0x00007FF7E4F10000-0x00007FF7E4F20000-memory.dmp

Filesize
64KB

Download
memory/3540-14-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-13-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-15-0x00007FF7E4F10000-0x00007FF7E4F20000-memory.dmp

Filesize
64KB

Download
memory/3540-16-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-17-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-18-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-19-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-20-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-37-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-1-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3540-39-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-6-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-7-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3540-4-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-3-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3540-2-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3540-0-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3540-283-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-287-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3872-275-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-276-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-277-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-271-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-286-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3872-273-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-288-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3872-289-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-291-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-290-0x00007FF7E70D0000-0x00007FF7E70E0000-memory.dmp

Filesize
64KB

Download
memory/3872-293-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download
memory/3872-292-0x00007FF827050000-0x00007FF827245000-memory.dmp

Filesize
2.0MB

Download