Analysis Overview
SHA256
9df2d19f67d796090eeeff50200f3fa37520d9ba1936d6a1bc5101a495226925
Threat Level: No (potentially) malicious behavior was detected
The file КрыловЭ.docx was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Suspicious use of SetWindowsHookEx
Office document contains embedded OLE objects
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 22:28
Signatures
Office document contains embedded OLE objects
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 22:28
Reported
2024-06-12 22:59
Platform
win10v2004-20240508-en
Max time kernel
1756s
Max time network
1766s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\КрыловЭ.docx" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
Files
memory/1272-0-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-2-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-1-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-3-0x00007FFE4E5CD000-0x00007FFE4E5CE000-memory.dmp
memory/1272-4-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-5-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-6-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-8-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-7-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-12-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-15-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-14-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-13-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-16-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp
memory/1272-11-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-10-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-9-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
memory/1272-17-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C0D30BD.dat
| MD5 | 14eacf3cf0a92d6ff2f107bb1dba9d64 |
| SHA1 | b6bd6b60cb31c66c2d1c99755e9dd3acf314f906 |
| SHA256 | ba1b59461a2f4dcb548b8d7e4639cc75d261e6b9a64bc3aac66ba22c39c60a37 |
| SHA512 | 148a8ca61d6919f221f61fb6f1741646f45c421cba47478a92354a5a8df781d01adbf4ee82c6083499cadf6fcef38b31d7c0ee80810f5706e2cbd4a453a2dc4e |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1272-539-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\518EF769.dat
| MD5 | 85382491f405b67e7b153eb5ad55311d |
| SHA1 | e971c0455f918ec6d1dff6867047941aee8ae038 |
| SHA256 | 069f3581fd71bdf00b1aae20bf4c5e6678ab2804fd913ea2b84d32e5937c1aad |
| SHA512 | 18e4a9d95b1d99aa4dbe1c08db16148ae839ab0bfd9537096562a7a396f0460429d3e4c48fdfee47a84f94cf5f04440b282a5f3f9e9383f5820784c6d597ebd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8D138DE1.dat
| MD5 | 06d9cdeb5ccc5e1be3e405ec34f8b37d |
| SHA1 | 56a28b812687039d9b8114410cf46a1dd9d2f00a |
| SHA256 | da26a1786b278c32c7b6b0495a2cbe47059ecac89ea020d4c935d511cf37fbb9 |
| SHA512 | 0614de091aa4d90b492e5c67b9511eada9ff6af4fb8b5b0521f73fdb7699d70a90eaf850fbab7e178b2979f2eca9d3d8fc45c01ba89b1e4c5025a56d23c9c22d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9B75AEC5.dat
| MD5 | 724581ff440f78cd010f78bb88ba7dca |
| SHA1 | 8b1b089583c9b63e1b9f660c8e5ef490780096d6 |
| SHA256 | 2d7bfbd913fe0acdf36f136bd9b9e5fad382c7b13d057844415d14c0c3064f36 |
| SHA512 | 71f2d497a76422283b93d87229eb89c583c5ffec2a2f076bba95eaef0934b9106be52c843984b86702429faec309e09b5bdf01087df0c6edbed1e348e8570bbb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9B0921B.dat
| MD5 | 0dd4954d162fffddd48747f92ea056aa |
| SHA1 | 943ae1333602dfbaa779fc35d4eff3afb125826d |
| SHA256 | a80c6eee6daf3965f10cac6f0a42b41aaac706473a831db10649423889ef06b7 |
| SHA512 | b02002020d9bea0d240bcf52c8eb1911d66d3dccd3f134d803b987912f18c51e35fea10d815582dfa129d6e8546477dc9c3bf062c4f30d881de706a4536da37b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C65C765F.dat
| MD5 | 6b378830fc2b6e972c6b8c1884aea82d |
| SHA1 | 1d1c420091ee4641a170bba1f22d63ab23b3e4b4 |
| SHA256 | 658d813bb0dd0e3abc3c4ea88394a647b242aaf80f1b220214e35d8e34f2d524 |
| SHA512 | 0567964e018b1b1bbaa98142d27478b1b7617da1ab5154fbb662a19a46a717a77945f61ef5747b1abd2958f26b36ef9e3c68408fc8d1eba9872f32bd2c817382 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6936EB97.dat
| MD5 | 5752280295707d86ee1964c0dfb821c2 |
| SHA1 | cc055cdf0cc5fa325a87c059a0929b182b730ba0 |
| SHA256 | 6af675d74d20939721c02eabb2283fe8f3ff12ff0b57609101bd94399aa80fbc |
| SHA512 | f8160cfbc7d6a8b78a3954878db923ad929b566e1148e275678996ab2c8278ffee306d0b354e001cf1e1b9cb4e93cf04da10991a4c371bffdb68af1fee2fae03 |
memory/1272-781-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-780-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-782-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-783-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp
memory/1272-784-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp