Analysis
-
max time kernel
47s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
46a50c0e8786766b218522f27196da992c00127a8e01a503d6f0da2333cf4661.docm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46a50c0e8786766b218522f27196da992c00127a8e01a503d6f0da2333cf4661.docm
Resource
win10v2004-20240426-en
General
-
Target
46a50c0e8786766b218522f27196da992c00127a8e01a503d6f0da2333cf4661.docm
-
Size
83KB
-
MD5
49daa45092803bc9827bc8585084d4a4
-
SHA1
eeb5e9896bdbfed0434b027b590d3cc7d4f89cd8
-
SHA256
46a50c0e8786766b218522f27196da992c00127a8e01a503d6f0da2333cf4661
-
SHA512
ac289f9daba084df2d10d2bd9f908f4e1bb3a85c900e0ec7abb68bf110a1fb0691558a89be5e47823dcb7240bea0427199cf3d0f8ac2549c015e7aab245d2466
-
SSDEEP
1536:Ep+WqQuctgd6mJ/D9eL2E3R1D3a7aGEGrGHEDws5W+JNwHJcgbZoL0d3FZimOXC9:K+X8YJbo2O1DqeGDGHAws5W4wHCgnFZL
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rad65266.tmp.exepid process 4844 rad65266.tmp.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3224 WINWORD.EXE 3224 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE 3224 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3224 wrote to memory of 4844 3224 WINWORD.EXE rad65266.tmp.exe PID 3224 wrote to memory of 4844 3224 WINWORD.EXE rad65266.tmp.exe PID 3224 wrote to memory of 4844 3224 WINWORD.EXE rad65266.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\46a50c0e8786766b218522f27196da992c00127a8e01a503d6f0da2333cf4661.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rad65266.tmp.exe"C:\Users\Admin\AppData\Local\Temp\rad65266.tmp.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TCD7B7A.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\rad65266.tmp.exeFilesize
72KB
MD539aeffe1467d730807db2a577b467cb3
SHA1ab6a4ef5705ef496ede9ac3ac72c5b9d968fdfbe
SHA25695691b07fac55057be045df76a25091d4ea8d12d20414a49fc0854ac3e4270a0
SHA512e33008174a39eba2c4ba96172450626d32e6105e70c2ca76051e07fd8f5e4a599742bb2fba79373ad2a3f7d02630f0a1ffc3c53ef602e08e98fdc06031f9e557
-
memory/3224-13-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-537-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-5-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-4-0x00007FFC852ED000-0x00007FFC852EE000-memory.dmpFilesize
4KB
-
memory/3224-6-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmpFilesize
64KB
-
memory/3224-7-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-8-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-9-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-10-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-12-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-14-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-15-0x00007FFC43180000-0x00007FFC43190000-memory.dmpFilesize
64KB
-
memory/3224-546-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-3-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmpFilesize
64KB
-
memory/3224-36-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-35-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-38-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-37-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-16-0x00007FFC43180000-0x00007FFC43190000-memory.dmpFilesize
64KB
-
memory/3224-41-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-0-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmpFilesize
64KB
-
memory/3224-1-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmpFilesize
64KB
-
memory/3224-65-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-66-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-2-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmpFilesize
64KB
-
memory/3224-11-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/3224-545-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB
-
memory/4844-56-0x00007FFC85250000-0x00007FFC85445000-memory.dmpFilesize
2.0MB