Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 00:47

General

  • Target

    umowa_licencyjna.rtf

  • Size

    4KB

  • MD5

    0c5eca726976d665b26bcb3f7fe367fe

  • SHA1

    b3fe77b8548e941eb1cbaab8ca35c7aef9c67228

  • SHA256

    7c57ebddebc42482d136203a70fbffe1d6b65f1172cbc317f6912fa4169b4c61

  • SHA512

    27f2dbe3988f4da65f131a9edf92d741401c4a0768f6cc6337723a9d2d9f567bedd29e453f155744ac84d8e428c4504e7de6eb069d1f165da9fb7c5bef41dda7

  • SSDEEP

    96:e8dcKfqItSNU+c+qOjegy4Z0VHGnjvqoGhe6V8IXhRPxyJArMfnsY/wDFAJM2:eqlfPi584ZY6jyouV8IXhRZZIfn5/iAh

Score
6/10

Malware Config

Signatures

  • Process spawned suspicious child process 1 IoCs

    This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\umowa_licencyjna.rtf" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
      "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 2484
      2⤵
      • Process spawned suspicious child process
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\system32\dwwin.exe
        C:\Windows\system32\dwwin.exe -x -s 2484
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:740

Network

MITRE ATT&CK Matrix ATT&CK v13

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1620-9-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-3-0x00007FFEB54CD000-0x00007FFEB54CE000-memory.dmp
    Filesize

    4KB

  • memory/1620-11-0x00007FFE733F0000-0x00007FFE73400000-memory.dmp
    Filesize

    64KB

  • memory/1620-1-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/1620-5-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-4-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/1620-6-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-7-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/1620-12-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-10-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-32-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-2-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/1620-8-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/1620-13-0x00007FFE733F0000-0x00007FFE73400000-memory.dmp
    Filesize

    64KB

  • memory/1620-0-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/2748-20-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/2748-29-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/2748-30-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/2748-28-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/2748-27-0x00007FFE754B0000-0x00007FFE754C0000-memory.dmp
    Filesize

    64KB

  • memory/2748-31-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB

  • memory/2748-19-0x00007FFEB5430000-0x00007FFEB5625000-memory.dmp
    Filesize

    2.0MB