Malware Analysis Report

2025-04-14 03:32

Sample ID 240612-2dp9fswhqj
Target КрыловЭ.docx
SHA256 9df2d19f67d796090eeeff50200f3fa37520d9ba1936d6a1bc5101a495226925
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

9df2d19f67d796090eeeff50200f3fa37520d9ba1936d6a1bc5101a495226925

Threat Level: No (potentially) malicious behavior was detected

The file КрыловЭ.docx was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Suspicious use of SetWindowsHookEx

Office document contains embedded OLE objects

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 22:28

Signatures

Office document contains embedded OLE objects

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 22:28

Reported

2024-06-12 22:59

Platform

win10v2004-20240508-en

Max time kernel

1756s

Max time network

1766s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\КрыловЭ.docx" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\КрыловЭ.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp

Files

memory/1272-0-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-2-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-1-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-3-0x00007FFE4E5CD000-0x00007FFE4E5CE000-memory.dmp

memory/1272-4-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-5-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-6-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-8-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-7-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-12-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-15-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-14-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-13-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-16-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

memory/1272-11-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-10-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-9-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

memory/1272-17-0x00007FFE0C1B0000-0x00007FFE0C1C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C0D30BD.dat

MD5 14eacf3cf0a92d6ff2f107bb1dba9d64
SHA1 b6bd6b60cb31c66c2d1c99755e9dd3acf314f906
SHA256 ba1b59461a2f4dcb548b8d7e4639cc75d261e6b9a64bc3aac66ba22c39c60a37
SHA512 148a8ca61d6919f221f61fb6f1741646f45c421cba47478a92354a5a8df781d01adbf4ee82c6083499cadf6fcef38b31d7c0ee80810f5706e2cbd4a453a2dc4e

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1272-539-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\518EF769.dat

MD5 85382491f405b67e7b153eb5ad55311d
SHA1 e971c0455f918ec6d1dff6867047941aee8ae038
SHA256 069f3581fd71bdf00b1aae20bf4c5e6678ab2804fd913ea2b84d32e5937c1aad
SHA512 18e4a9d95b1d99aa4dbe1c08db16148ae839ab0bfd9537096562a7a396f0460429d3e4c48fdfee47a84f94cf5f04440b282a5f3f9e9383f5820784c6d597ebd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8D138DE1.dat

MD5 06d9cdeb5ccc5e1be3e405ec34f8b37d
SHA1 56a28b812687039d9b8114410cf46a1dd9d2f00a
SHA256 da26a1786b278c32c7b6b0495a2cbe47059ecac89ea020d4c935d511cf37fbb9
SHA512 0614de091aa4d90b492e5c67b9511eada9ff6af4fb8b5b0521f73fdb7699d70a90eaf850fbab7e178b2979f2eca9d3d8fc45c01ba89b1e4c5025a56d23c9c22d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9B75AEC5.dat

MD5 724581ff440f78cd010f78bb88ba7dca
SHA1 8b1b089583c9b63e1b9f660c8e5ef490780096d6
SHA256 2d7bfbd913fe0acdf36f136bd9b9e5fad382c7b13d057844415d14c0c3064f36
SHA512 71f2d497a76422283b93d87229eb89c583c5ffec2a2f076bba95eaef0934b9106be52c843984b86702429faec309e09b5bdf01087df0c6edbed1e348e8570bbb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9B0921B.dat

MD5 0dd4954d162fffddd48747f92ea056aa
SHA1 943ae1333602dfbaa779fc35d4eff3afb125826d
SHA256 a80c6eee6daf3965f10cac6f0a42b41aaac706473a831db10649423889ef06b7
SHA512 b02002020d9bea0d240bcf52c8eb1911d66d3dccd3f134d803b987912f18c51e35fea10d815582dfa129d6e8546477dc9c3bf062c4f30d881de706a4536da37b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C65C765F.dat

MD5 6b378830fc2b6e972c6b8c1884aea82d
SHA1 1d1c420091ee4641a170bba1f22d63ab23b3e4b4
SHA256 658d813bb0dd0e3abc3c4ea88394a647b242aaf80f1b220214e35d8e34f2d524
SHA512 0567964e018b1b1bbaa98142d27478b1b7617da1ab5154fbb662a19a46a717a77945f61ef5747b1abd2958f26b36ef9e3c68408fc8d1eba9872f32bd2c817382

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6936EB97.dat

MD5 5752280295707d86ee1964c0dfb821c2
SHA1 cc055cdf0cc5fa325a87c059a0929b182b730ba0
SHA256 6af675d74d20939721c02eabb2283fe8f3ff12ff0b57609101bd94399aa80fbc
SHA512 f8160cfbc7d6a8b78a3954878db923ad929b566e1148e275678996ab2c8278ffee306d0b354e001cf1e1b9cb4e93cf04da10991a4c371bffdb68af1fee2fae03

memory/1272-781-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-780-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-782-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-783-0x00007FFE0E5B0000-0x00007FFE0E5C0000-memory.dmp

memory/1272-784-0x00007FFE4E530000-0x00007FFE4E725000-memory.dmp