02a73afaabda635fa664c905bf1e11de884c5f84f7bab834da7a83954d7d214a

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hrdcktbq/好人多窗口同步器使用说明电子版.doc
Size

184KB
MD5

30a8c669dbd3d204b4dd896b8d9305bd
SHA1

d84afad58f28429fdebf59c7f84eda9b3eb8f445
SHA256

c0ffeec7e5a4f7c16c685ee00fcd820301b0832bb1df9ce7f847e6f78fe3dc98
SHA512

763d63122d57dd51c85f01bfe5cc4b791ed78933e52e9cad4188729834d10ac069d9ff7fb117d2c356034f21b2d1fc73853b1390e4d9326da758a4094561fde1
SSDEEP

3072:jUR8H+szPOG8jox9XrzMH6vReDsjMDeb1m/1+Fl8d3i1X1+OIGHnX:jUR8H+iPOGJx9bdvqDe4/1+IY1X1+Or3

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4284	WINWORD.EXE
4284	WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE
4284	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\hrdcktbq\好人多窗口同步器使用说明电子版.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4284-0-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-3-0x00007FFFF6D4D000-0x00007FFFF6D4E000-memory.dmp

Filesize
4KB

Download
memory/4284-2-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-1-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-5-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-4-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-7-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-8-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-6-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-9-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmp

Filesize
64KB

Download
memory/4284-11-0x00007FFFB4610000-0x00007FFFB4620000-memory.dmp

Filesize
64KB

Download
memory/4284-22-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-23-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-24-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-25-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-47-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-50-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-49-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-48-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp

Filesize
64KB

Download
memory/4284-51-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads