Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 13:58
Static task
static1
Behavioral task
behavioral1
Sample
TOTEST_Marlene 0794-PYMTADV Mda.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
TOTEST_Marlene 0794-PYMTADV Mda.docx
Resource
win10v2004-20240802-en
General
-
Target
TOTEST_Marlene 0794-PYMTADV Mda.docx
-
Size
47KB
-
MD5
5129f62373c978b5744280628c9f52d7
-
SHA1
5dbd01f15fb3f2b8e6f75cebd5c49ca100b5280c
-
SHA256
f5cf5306f76819d9885cbcd915579a132360198e43a3ba844c7bb6e075704bef
-
SHA512
bb9d8ecbe3f0ebdf481686eeff412c213952c0594ec65d73f148ececd3aea8af9c7a5642f6a207bcb987d524cd92aa353af21a004786ea21b269ed69e4f0518b
-
SSDEEP
768:aFc+tdl2q9SSO5UgdjCjftlhO44HOKwBk99zsJYkYK:hW2qDO7jCXUXuPy7zGYK
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1168 WINWORD.EXE 1168 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE 1168 WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TOTEST_Marlene 0794-PYMTADV Mda.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD55df715b675c0960e066aab2f0a99489e
SHA14677b3d231fd67e6e13db8c69715daa633c3e7ed
SHA256bdbf6d48f60add356228fb7c4558608f494330a7ae708d7cdd239ad2b24dd694
SHA51243ca7bda15891be7dc99a9da83627e799f645e791afd48930a216eebdb35c0e68ea8008bf48e28d9a0f7121059fcd2c55729d840dde2fd62d0e887311131b92e