Overview
overview
8Static
static
8$LOCALAPPD...7.dotm
windows7-x64
4$LOCALAPPD...7.dotm
windows10-2004-x64
1$LOCALAPPD...4.dotm
windows7-x64
4$LOCALAPPD...4.dotm
windows10-2004-x64
1$LOCALAPPD...6.dotm
windows7-x64
4$LOCALAPPD...6.dotm
windows10-2004-x64
1$LOCALAPPD...4.dotm
windows7-x64
4$LOCALAPPD...4.dotm
windows10-2004-x64
1$LOCALAPPD...6.dotm
windows7-x64
4$LOCALAPPD...6.dotm
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 07:42
Behavioral task
behavioral1
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2007.dotm
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2007.dotm
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2010x64.dotm
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2010x64.dotm
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2010x86.dotm
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2010x86.dotm
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2013x64.dotm
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2013x64.dotm
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2013x86.dotm
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2013x86.dotm
Resource
win10v2004-20240709-en
General
-
Target
$LOCALAPPDATA/Temp/mathtype.tmp/wordui2013x86.dotm
-
Size
760KB
-
MD5
e8d942e5227a2f8da3046e633a36d8b5
-
SHA1
111a5ffbf92ccb1bc165e3cb3f5bbbe99ea9eff4
-
SHA256
6d619a460f1fae1fda6e56b5921a1a42e5feab2cf212a8d4c8fc6040e8314e8b
-
SHA512
0b5e694f406bd9feda035a57e26f36b0f937ee899d6e417aa0bcf47ea187eee3c1d7acc9515810b955099b55fcfef5fd0665754a26260780d9b684c947866efa
-
SSDEEP
12288:xw/NlZRZFji5gFr8uu3agXWnvcBh0SXpwQ8BLJ90Tv7WSW9vFU8q2JczL0A8S8yo:mV/hegFIpmnaZwxJ9c7WP9vtTJkLL86o
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4408 WINWORD.EXE 4408 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE 4408 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\Temp\mathtype.tmp\wordui2013x86.dotm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5d67a68cb4bbe42ed05ec59946479ac61
SHA1d847538dcd27303f003a72c16b938547c8fc7781
SHA256f2fa3a1aabb54f5834f793b7a19c828a2b2fd9611173bf07841ad22a60c4e17b
SHA5123ed592711b4d52a8b1797e4b50c4c0f1d854e2457b7ead3d0d210c7264e5d8acba85ea7167c2659c639ee49020a68f45bc499b572223d6697c31ab05dda64072