Analysis
-
max time kernel
114s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
a9c933f65d72dfa02fb0b94476c360777cea47f0bcb36c2ec696135ca5ddad9e.rtf
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a9c933f65d72dfa02fb0b94476c360777cea47f0bcb36c2ec696135ca5ddad9e.rtf
Resource
win10v2004-20240730-en
General
-
Target
a9c933f65d72dfa02fb0b94476c360777cea47f0bcb36c2ec696135ca5ddad9e.rtf
-
Size
87KB
-
MD5
692201af11c88bd4609ca5476b5aa8fb
-
SHA1
4d40bb5f52dab9183165c75495361eda687fd5e0
-
SHA256
a9c933f65d72dfa02fb0b94476c360777cea47f0bcb36c2ec696135ca5ddad9e
-
SHA512
c17e3a5c1efb435fa1abb4800e6026eaee9e088618d327458294e9652c7ceb662589a203c43d224ae2fb254374fde6aaa76cf892412e854c71bf0f306661d32c
-
SSDEEP
384:1qgLPI5lpTS/GNZV+wrm+iECwgrRQI3YL2jheM:1qgQlFGhwrdurRQjKj
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3976 WINWORD.EXE 3976 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE 3976 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a9c933f65d72dfa02fb0b94476c360777cea47f0bcb36c2ec696135ca5ddad9e.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD5b073889cc5c8d183e85987b02a599419
SHA1ed0a5e9c500e1838765ad5c1a60bc57ec6cbd4fd
SHA2565afd8bf5c2b632d346c6880ea9ee03dd1716d24bfb83e0617658fdd8ff25f280
SHA512fbac2cb103ed611074d7d554a0f8a44e73c7b001eb85081833ed5ca74cc394dc555f1c650b9e192d838a1c9900ddb80f28851c2d4cdd484e8d323d58fd614dd3