Analysis
-
max time kernel
73s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24-06-2024 13:19
Static task
static1
Behavioral task
behavioral1
Sample
file-sample_500kB.doc
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
file-sample_500kB.doc
Resource
win11-20240508-en
General
-
Target
file-sample_500kB.doc
-
Size
491KB
-
MD5
f66e2b042497390f2feed4a95ff9d613
-
SHA1
d8e6c9825d33914e0e157c0b34a3067ab761c5a8
-
SHA256
6cd47bd7261f1cc0c77b51d9ccb2ce89eb042e20ebbed9955447c929aaf6befc
-
SHA512
9c55d73f74d88667788279c4ea2cf76da2a2cf0c854c793010154600c26c403494f858f6620c93403ecdf15fa3b23b9316e6effc882c116b593be5370d53c088
-
SSDEEP
12288:4x8cxFg6nH+rpLsAMxN9ONVLKhawKKvUA4PNA:4x80R+ruz2XahrvU7
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4412 WINWORD.EXE 4412 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE 4412 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\file-sample_500kB.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CE8C9E24.emfFilesize
13KB
MD5b167b048f2720b3d32e08d312b0cc8c2
SHA1c39890f513ac7e09d17f2c3244e53e56564d80b2
SHA256cf1f5781b135ba0185c552322552d70b5c559f543a97ef03bc131a6bc63d4b66
SHA5125cfb0a1e4155e4776542d94365ae298fe144fa46c37627ec974d572521343f13f66e80dd58ce6f10f28ec5cd385e06ff14b19fec2325740e1b5e026c8c7a6705
-
C:\Users\Admin\AppData\Local\Temp\TCDD76F.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
memory/4412-16-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-12-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-3-0x00007FF8A6600000-0x00007FF8A6610000-memory.dmpFilesize
64KB
-
memory/4412-20-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-8-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-9-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-13-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-21-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-11-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-10-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-14-0x00007FF8A3300000-0x00007FF8A3310000-memory.dmpFilesize
64KB
-
memory/4412-15-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-17-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-23-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-0-0x00007FF8A6600000-0x00007FF8A6610000-memory.dmpFilesize
64KB
-
memory/4412-19-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-5-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-4-0x00007FF8A6600000-0x00007FF8A6610000-memory.dmpFilesize
64KB
-
memory/4412-18-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-24-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-25-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-22-0x00007FF8A3300000-0x00007FF8A3310000-memory.dmpFilesize
64KB
-
memory/4412-30-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-33-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-35-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-34-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-32-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-31-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-2-0x00007FF8E6615000-0x00007FF8E6616000-memory.dmpFilesize
4KB
-
memory/4412-1-0x00007FF8A6600000-0x00007FF8A6610000-memory.dmpFilesize
64KB
-
memory/4412-650-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-714-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB
-
memory/4412-715-0x00007FF8E6570000-0x00007FF8E674B000-memory.dmpFilesize
1.9MB