b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

Analysis

max time kernel
101s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pfZVX.doc
Size

221KB
MD5

28e855032f83adbd2d8499af6d2d0e22
SHA1

6b590325e2e465d9762fa5d1877846667268558a
SHA256

b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512

e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
SSDEEP

3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score

4^/10

defense_evasion

Malware Config

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{01BFFFA6-2B1A-444B-8278-F92AD6AB248C}\8tr.exe:Zone.Identifier	WINWORD.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{01BFFFA6-2B1A-444B-8278-F92AD6AB248C}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1936	WINWORD.EXE
1936	WINWORD.EXE
4624	WINWORD.EXE

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
1936	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE
4624	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 5064	1936	WINWORD.EXE	83
PID 1936 wrote to memory of 5064	1936	WINWORD.EXE	83

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\pfZVX.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5064

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
5b9abf66452eeea1d7c44fb81e6c7047

SHA1
a3eda0a768aea6e3a021e988ac5cf9c15e11072d

SHA256
285dc0e6a72e0d4f76f67008be3bd353cbd27504af8e4d764b14210b8b2d0f75

SHA512
e79df652950bb3a859d8aae8a05af9f70e510633e48e65f89948af06b1b34daa51973909483e09c54d0f4484d8146922950e9ac1e33c06225959fd86068d4e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
bd39fd8bbd0a941e11a8637cde3760e9

SHA1
7b44e9663d58b0029f9cb3c72a9c25c672caf1f7

SHA256
ba48a321b9384a921fbb43def3da150719aded55a121d229f63ea58d725cd429

SHA512
38c305838e5e338abe1195c172c9510067da9e5af94ccd74f37ec7fdf13aaa5a227d1a6792e9b67b87f3af144d333b1bd1f2f6e7edfa8ee24a9904ad7276ab94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
11KB

MD5
e35ff0354f88a41df543d06dddff7cc5

SHA1
c9a001694c3a97deef0c126dc661c7b364b61467

SHA256
3edba11ac3a79521e3806b26fd65f2fa31d17c6512978a2c5973dbe36b09cef3

SHA512
24898ebeac1ba738de25223e1c8534236ed381a7ff4d82d7e8ae3d94d4bcbc1c3464b259757bf33a80acd6313fb157cce8f255dbb69d9d7de189de9b77a09832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
12d17f8ff8451629ca81ae15c94fb223

SHA1
b4f30ddf7d5f1619cf56b20a4c36c0529b5b8610

SHA256
11244b5f7cce3ad85ae1c9c5f39a9d7d8a565b5f0d6c744294497e05eaff984e

SHA512
cfe79ffd2b57e945568b064b8f97c68c2361e75f3a5bed0a5b1a2e918456cdc845e46b0a865f9daf22cca9b47e1be4a674405f1140858aded7ad5a01c00dcad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FFC108E4.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDEC8A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
2642773577dc7cfb84bfea21728fe112

SHA1
31abc88445f7f3e253265d3112ab341dac8e7804

SHA256
0a669e22633a4fc91d677e0974a7cbda493f87f0d76fed100d13440f707377ef

SHA512
40181c2d5ea9cd4e35eb629e6d5ebfb9e748dd47d07ad1c309f19d1d689c4ff91913642191d5282a2c47eb787abf3d0939aaf40aa0ca80b082d7421ede3eed6b

Download Submit
memory/1936-163-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-7-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-56-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-4-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/1936-5-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-9-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-0-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/1936-118-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-144-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-143-0x00007FF97E42D000-0x00007FF97E42E000-memory.dmp

Filesize
4KB

Download
memory/1936-444-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-1-0x00007FF97E42D000-0x00007FF97E42E000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/1936-2-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/1936-158-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-11-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-8-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/1936-12-0x00007FF93BCB0000-0x00007FF93BCC0000-memory.dmp

Filesize
64KB

Download
memory/1936-10-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/1936-13-0x00007FF93BCB0000-0x00007FF93BCC0000-memory.dmp

Filesize
64KB

Download
memory/1936-6-0x00007FF97E390000-0x00007FF97E585000-memory.dmp

Filesize
2.0MB

Download
memory/4624-155-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/4624-156-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/4624-157-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download
memory/4624-154-0x00007FF93E410000-0x00007FF93E420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads